Well, this is a mess.
A “huge” number of third-party Mac apps are under threat of man-in-the-middle attacks due to a recently discovered vulnerability in Sparkle, an open source framework used to facilitate software updates.
The flaw, which centered around a flawed WebKit rendering engine implementation found in certain Sparkle builds, is to blame for the newly discovered attack that allows malicious users to insert and execute JavaScript code when affected app check for software updates.
Along with a flawed Sparkle version, vulnerable apps must also be running an unencrypted HTTP channel to receive software updates from offsite servers. This can allow other users to capture network traffic and thereby run malicious code on a target computer. The exploit has been cited by a software engineer called “Radek”, who confirmed the exploit affects apps running on the latest versions of OS X 10.11 El Capitan and OS X 10.10 Yosemite.
An exhaustive list of affected apps has yet to be released, but researchers successfully applied the exploit to Camtasia, uTorrent and a recent version VLC Media Player. It should be noted that developers are aware of the Sparkle vulnerability, as VLC patched the hole in an update last week. A running list of apps that use Sparkle as an update framework has been posted to GitHub
Sparkle Updater has pushed out a fix in its latest version release, but it remains up to third-party app developers to integrate the patched framework.
Stay tuned for additional details as they become available.
Via AppleInsider and Ars Technica