Which SSL Reviews

SSL Security

New Exploit in Sparkle Framework Risks the Security of Mac Apps

February 16, 2016 | By SEO Comodo

Mac users of popular apps such as Evernote, HipChat, TeamViewer and Slack are potentially at risk of hacking attacks owing to a security flaw found in Sparkle, the third-party open source platform that enables app makers to receive updates.

Although the Sparkle team has already patched the vulnerability after it came to light, many users might still be prone to the risks as a result of using their favorite apps that used the affected version of Sparkle Updater. According to Radek, a vulnerable security researcher who discovered the security hole, a “huge” number of apps were affected by the Sparkle vulnerability.

“…all applications that use the Sparkle Updater framework and are connecting over HTTP instead of a secure HTTPS connection are vulnerable. Since Sparkle throws an error in case of an invalid SSLcertificate by default, it helps to protect against MITM attacks when used wisely,” Radek wrote in his blog.

The fact that the vulnerability puts immediate danger on applications that connect over HTTP connection once again pushes the envelope for adopting SSL encryption as a standard for increased security. It’s not clear how many apps have been affected, but some of the known victims of the vulnerability are popular apps like video editing software Camtasia and the BitTorent client uTorrent.

Hackers can launch the man-in-the-middle (MITM) types of attacks on end users through the apps that used the affected version of the Sparkle framework. To show just how serious the problem was,  security researcher Simone Margaritellli successfully carried out an online attack into VLC Media Player, demonstrating the danger that the vulnerability posed on Mac users. VLC’s parent company, VideoLAN, responded quickly and patched the issue.

Apps downloaded through Mac App Store are safe because OS X does not use Sparkle to update its software. Sparkle has recommended app owners and developers to update to its latest version to avoid getting affected with the vulnerability. Ars Technica, which first published about Radek’s finding, suggests Mac owners to avoid using unsecured Wi-Fi networks or using a VPN to avoid being affected by the exploit.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL Security

Be Sociable, Share!

Leave a Comment


* fields are mandatory