Sparkle is open source framework to include autoupdate feature in OSX apps.
Is available under MIT license, and “is developed on GitHub by the Sparkle Project with the help of dozens of valued contributors”.
Here’s a brief video showing a proof-of-concept attack performed against a vulnerable version of the Sequel Pro app:
He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the VLC Media Player: you can read the article at this link, the bettercap module can be downloaded here.
What are the affected applications?
The list is huge, and can be read on sparkle’s Github, among the most common there are:
- Facebook Origami
To fix and avoid RCE in your app, you need to edit Info.plist file and replace http -> https for SUFeedURL key. Remember to check if your server configuration supports https and you have a valid SSL certificate in place.
To fully protect against this issue you need to upgrade the Sparkle Updater framework to the version 1.13.1 (http://sparkle-project.org/) which was already patched.