Vulnerability on Sparkle framework affects a lot of Mac apps



Sparkle is open source framework to include autoupdate feature in OSX apps.

Sparkle

Is available under MIT license, and “is developed on GitHub by the Sparkle Project with the help of dozens of valued contributors”.

But a recently discovered vulnerability has made many applications using this framework susceptible to MITM attacks.

From ArsTechnica:

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication.

The attack

Here’s a brief video showing a proof-of-concept attack performed against a vulnerable version of the Sequel Pro app:

The researcher Simone Margaritelli has developed a technique that streamlines the attack by allowing it to work with bettercap.

He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the VLC Media Player: you can read the article at this link, the bettercap module can be downloaded here.

What are the affected applications?

The list is huge, and can be read on sparkle’s Github, among the most common there are:

  • Adium
  • Coda
  • iTerm
  • Facebook Origami
  • SequelPro
  • Tunnelblick
  • VLC

Solutions?

Radek’s suggestion for developers:

To fix and avoid RCE in your app, you need to edit Info.plist file and replace http -> https for SUFeedURL key. Remember to check if your server configuration supports https and you have a valid SSL certificate in place.

and

To fully protect against this issue you need to upgrade the Sparkle Updater framework to the version 1.13.1 (http://sparkle-project.org/) which was already patched.


Published: February 11 2016