Large number of Mac users could be exposed to app update loophole


A potentially large number of Mac users could be at risk of man-in-the-middle attacks exploiting a common bug in a variety of third-party apps, according to a new report on Ars Technica.

The problem arises from a vulnerable version of Sparkle, a popular open source software framework used by developers to implement update capabilities into their OS X apps.

"The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers," explained the Ars Technica report. "It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution."

The result is that a hacker could pull off a man-in-the-middle attack involving the injecting of malicious code, according to the report. The attack has been confirmed to be viable on both El Capitan and Yosemite versions of OS X.

Technically, man-in-the-middle attacks could be pulled off on unencrypted Wi-Fi hotspots or by a compromised host on a wired local network – think advanced persistent threat. This is particularly troublesome due to the fact that there is no easy way to identify if an app is using an affected version of Sparkle and whether it uses the vulnerable unencrypted HTTP channel to communicate.

A check on the Sparkle site shows that it is "used by thousands of applications" including the likes of Evernote, Oracle Java, TeamViewer, VLC Media Player and "many, many more." Indeed, the Ars Technica report explained how a fully patched Mac running the latest version of VLC Media Player could have been compromised as recently as three days ago, though a patch had since been released that closes the security vulnerability.

As it is, the problem with identifying vulnerable apps mirrors the Heartbleed bug that stemmed from a security flaw in the OpenSSL software, though there is no question that the latter is a magnitude more severe due to the many more apps that uses it.

Ultimately, the insecurity arising from the vulnerable version of Sparkle is unlikely to go away soon. While the latest version of Sparkle has already plugged the security hole, Ars Technica noted that some developers are having difficulty switching to it or changing to using only encrypted HTTPS channels.

For users, this means that the only protection they have is to ensure they use a virtual private network when connecting to the Internet from third-party Wi-Fi networks.

For more:
- check out this article at Ars Technica

Related Articles:
Code review turns up bugs in underlying LibreSSL library
Heartbleed bug could bleed millions of usernames, passwords
Critical bug in popular Java code library threatens Oracle, IBM middleware