Security Holes in Sparkle Render 'Huge' Number of Mac Apps Vulnerable: Report

Several popular apps including BitTorrent client uTorrent and video editing software Camtasia are likely vulnerable to security attacks. Vulnerabilities found in Sparkle, an open source third-party software framework used to facilitate software updates that many apps use to receive updates, have potentially exposed many apps to man-in-the-middle attacks, according to a report.

A flawed WebKit rendering engine implementation in Sparkle is said to have made it possible for attackers to execute JavaScript code. Reported by security researcher Radek, the exploit affects apps running on OS X 10.11 (El Capitan) and OS X 10.10 (Yosemite).

For the exploit to work, however, the vulnerable apps must be running on an unencrypted HTTP network. Moreover, an attacker would need to tap the unencrypted network and inject malicious code into the communication. Simone Margaritelli, another security researcher, demonstrated how the attack could be done. He managed to attack VLC Media Player. VideoLAN, the developer of the popular media player, has since updated the security patch.

"In short, all applications that use the Sparkle Updater framework and are connecting over HTTP instead of a secure HTTPS connection are vulnerable. Since Sparkle throws an error in case of an invalid SSL certificate by default, it helps to protect against MITM attacks when used wisely," Radek wrote in a blog post.

At this point, it is not clear exactly how many apps are affected due to vulnerabilities in Sparkle. Radek said (via ArsTechnica) that he believes the count to be "huge." Some apps that use Sparkle include Evernote, Fantastical, Flux, Slack, Twitterrific, HipChat, and TeamViewer among others. They haven't been flagged as vulnerable yet.

The good news is that Sparkle developers have patched the security holes, adding that developers that utilise their service should update to the latest version of the framework.