‘Huge’ Number of Mac Apps Open to Hijacking From Sparkle Updater Vulnerability

A pair of vulnerabilities in the framework that some Mac apps use to receive automatic updates leaves them open to man-in-the-middle attacks, according to a report from Ars Technica covering a security flaw that was first discovered by a security researcher named Radek in late January.

Apps that use a vulnerable version of Sparkle and an unencrypted HTTP channel for server updates are at risk of being hijacked to transmit malicious code to end users. The Sparkle framework is used by apps outside of the Mac App Store to facilitate automatic software updates.

Some of the affected apps are widely downloaded titles like Camtasia, Duet Display, uTorrent, and Sketch. A proof of concept attack was shared by Simone Margaritelli using an older version of VLC, which was recently updated to patch the flaw. The vulnerabilities were tested on both OS X Yosemite and the most recent version of OS X El Capitan.

Image via EvilSocket

A „huge“ number of apps are said to be at risk, but as Ars Technica points out, it is difficult to tell exactly which apps that use Sparkle are open to attack. GitHub users have compiled a list of apps that use Sparkle, but not all use the vulnerable version and not all transfer data over non-secured HTTP channels.

Apps downloaded through the Mac App Store are not affected as OS X’s built in software update mechanism does not use Sparkle.

Sparkle has released a fix in the newest version of the Sparkle Updater, but it will take some time for Mac apps to implement the patched framework. Ars Technica recommends concerned users with potentially vulnerable apps installed avoid using unsecured Wi-Fi networks or do so only via a VPN.

Tag: Sparkle
Discuss this article in our forums

Прочетете повече

Choose your online armor with the virtual private network that’s best for you [Deals]

Encrypting transactions, bypassing location restrictions, anonymizing browsing — the reasons for connecting to the web through a virtual private network are many, but so are the options. Luckily we’ve found four VPN services that are going for a fraction of the normal price, meaning instead of searching for a deal you can just choose the […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече

This simple app will get you around those annoying location restrictions [Deals]

When you pay for premium streaming services like Netflix and Hulu Plus, you don’t want a trip out of the country to mean you have to leave your favorite shows at home. There are a lot of sneaky ways to get around the regional restrictions, but a simple, hassle-free way is Getflix. It’s a single […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече

Open your own private lane on the information superhighway with PureVPN [Deals]

As open and free as the internet is purported to be, it’s easy to run into a lot of walls and not always safe. A great way to relieve the worry and hassles of online life is PureVPN, a virtual laser-fast private network that secures, anonymizes, and upgrades any online connection. And right now you […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече

Browse securely and freely with lifetime access to a VPN [Deals]

These days, it’s all too easy to feel vulnerable whenever conducting a transaction, sending a message, or even just idly surfing the web. One way to feel secure is with a secure virtual private network, and for those of us without the IT chops to set one up ourselves there’s proXPN VPN. Right now you […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече

Bypass all those pesky location restrictions with one simple app [Deals]

When shelling out for access to services like Netflix and Hulu Plus, you’re not banking on being barred from access just because you take a trip out of the country. Getflix is a service to make sure that never happens, and right now you can get a lifetime subscription for just $39. By selectively routing […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече

Many AT&T iPhone Users Unable to Download Apps and Stream Music Over LTE

A growing number of AT&T subscribers on the MacRumors forums appear to be having issues downloading apps and streaming music over LTE, with some claiming AT&T is throttling App Store downloads and Apple Music content.

When connected to Wi-Fi, users report that apps download normally, but over LTE, app downloads do not progress. Other users are reporting issues streaming content from the Apple Music app, with songs that start and then hang. As described by MacRumors reader Blizaine:

I have three different iOS devices. Two are running iOS 9.0.1 and one is running iOS 8.4.1. When they are connected to wifi, apps download fine. When on LTE, the app just sits there and the progress bar does not move, even after a very long period of time. When I run a speed test over LTE, I’m getting a solid 10-15Mbps down (3-4 bars).

Also, i have a VPN configured on one of the iOS 9.0.1 devices and when I enable the VPN over LTE, apps download fine. One of the devices also uses a different iTunes account. I supposed it could be a regional problem. I’m in Indianapolis Indiana, USA. I’ve tried toggling the Download over Cellular option off and on and I’ve reset the network settings on one device and even did a factory reset on another, with no success.

Verizon and T-Mobile users do not appear to be experiencing any issues downloading content over LTE, suggesting the problem is limited to AT&T subscribers. Affected customers are using a range of iPhone and iPads, including the iPhone 4s, iPhone 6, iPhone 6s, and iPad Air 2.

One MacRumors reader contacted AT&T’s Advanced Tech Support line and was told that this is an issue AT&T has been receiving multiple calls over. AT&T support claimed it was a problem related to iOS 9/iOS 9.0.1 that would be fixed with iOS 9.0.2, but yesterday’s iOS 9.0.2 release does not seem to have fixed the problem for most users.

It is likely the trouble people are running into downloading apps and songs over LTE is a bug and not intentional throttling. Some users who are having trouble with downloads are also reporting slow speeds, pointing towards a possible network issue, but others say their LTE speeds are normal. The issue may also be limited to specific geographical areas, as there are some in California and Colorado that are not experiencing problems.

The problem seems to have begun over the past few days, and it does appear that AT&T is making an effort to fix it, with some users reporting intermittent success getting app downloads and Apple Music to work today.



Прочетете повече

What could be better than a lifetime of secure, premium VPN protection for 89% off? [Deals]

The internet is a wonderful, weird, and scary place. Protecting yourself online can be a full-time job, but with private network services like proXPN VPN, you can guard your online activity and identity easily. Right now, a premium lifetime subscription to their service is just $39 at Cult of Mac Deals. A lifetime premium subscription […]

(via Cult of Mac – Tech and culture through an Apple lens)


Прочетете повече