Sparkle Update, a security risk many app for Mac

Mac users at risk of man-in-the-middle (within the same network) due to a vulnerability in the Sparkle framework which is used by some apps for Mac for the management of automatic updates. The security flaw was discovered a few weeks ago by a safety engineer known as Radek.

Sparkle Updater is a tool that is used by developers of apps distributed outside the Mac App Store to manage automatic updates. Applications that make use of the vulnerable version of Sparkle Updater and use unencrypted HTTP connections to make upgrades, are at risk of being compromised and malicious code tramissione user.

An attack proof-of-concept has been illustrated by Simone Margaritelli, which used an older version of VLC, which has recently been updated to fix the flaw. The vulnerabilities have been tested on Yosemite and the latest version of El Capitan.

Among the apps that make use of Sparkle there are some pretty famous including Camtasia, VLC, Adium, uTorrent and Sketch. In general it appears to be quite large number of potentially vulnerable applications: GitHub you can find a list of app that makes use of Sparkle, although it should be noted that not all using the vulnerable version of the framework and not all communicate via HTTP channels not sure.

Apps downloaded from the Mac App Store are not affected by the problem, since the built-in OS X software update systems do not use Sparkle Updater. Sparkle meanwhile has released an updated version of the framework that solves the problem, although you will need some time because developers go to implement the update. As a precautionary measure it is recommended that, for those who make use of potentially vulnerable app, avoid using insecure WiFi networks or, in the absence of alternatives, use a VPN.