A new bug has been found in the framework – Sparkle, used by plethora of Mac apps, left them open to Man-in-the-Middle (MitM) attacks. The Sparkle vulnerability was discovered by Radek, a security researcher, and was reported by Ars reporter.
What is Sparkle?
Sparkle is an open source project which is used by third-party OS X apps, including uTorrent, Duet Display, Camtasia and Sketch to facilitate automatic updates in the background.
The bug is due to the improper implementation of Sparkle Updater as well as use of unencrypted HTTP connection. And, this left the connection vulnerable to interception by hackers who can slip in malware and steal sensitive information.
Recommended for you: Emergency Java Patch by Oracle to Fix Critical Flaw
Which apps are affected?
The actual number of affected apps is not known, but Radek estimated the number could be huge. Some of the affected apps are Camtasia 2 (v2.10.4), uTorrent (v1.8.7), Sketch (v3.5.1) and DuetDisplay (v18.104.22.168).
Worth mentioning aspect, apps downloaded from Mac app store are not affected because they don’t need to use Sparkle for app updates.
What to do?
The best advice to protect yourself from this vulnerability is when there’s any app update, visit app’s website and download latest version rather than updating the app through the update window itself.
If you are updating app from the Mac app store, then you need not worry about this vulnerability.