Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News Categories

Sparkle updater in many Mac apps leaves apps vulnerable to hijacks

By Kenny Yeo - on 10 Feb 2016, 9:54am

Sparkle updater in many Mac apps leaves apps vulnerable to hijacks

(Image source: Ars Technica)

According to reports, a large number of Mac apps have been found to be susceptible to man-in-the-middle type attacks due to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.

Attacks can take place when users are using an app with a vulnerable version of Sparkle over an unencrypted HTTP channel to receive updates from servers. When doing so, a hacker on the same network can inject malicious code into the communications. This attack is viable on both OS X El Capitan and Yosemite.

Amongst the apps said to be affect include uTorrent, Camtasia, and VLC. Fortunately, VLC has uploaded a new version that fixes this problem. 

At this point, it is hard to pinpoint exactly which app is affected because even though a lot of apps make use of Sparkle, not all apps that use Sparkle are using the version that is vulnerable. However, users have compiled a list of apps that do use Sparkle here, and it is best to take note.

Finally, concerned users can protect themselves in the meantime by not using unsecured Wi-Fi networks or to do so only through a VPN.

Source: Ars Technica