The new vulnerability puts a number of users of affected third-party apps at risk of being hijacked when those apps attempt to use the outdated framework to alert users of new app updates.
Who’s affected?
The problem, as noted by a security engineer named Radek on vulnsec.com, doesn’t affect apps that are updated through the Mac App Store, but rather, affects a number of third-party apps downloaded from the internet that are installed manually by the user and are using an outdated version of the Sparkle updater framework to regularly check for updates automatically in the background.
Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).
Among some of the affected apps are Camtasia 2 (version 2.10.4), DuetDisplay (version 1.5.2.4), Sketch (version 3.5.1), and uTorrent (version 1.8.7), but many other third-party apps using the same insecure updater framework are also affected.
VLC Media Player was recently affected by this vulnerability, but a recent update to the app (version 2.2.2) has reportedly patched the problem. Ars Technica notes that the vulnerability affects Macs running OS X Yosemite and OS X El Capitan.
The team behind Sparkle have already released an updated version of their framework with the fix implemented, but it will take some time for developers to update their application with it.
To find which all installed apps in your Mac use the Sparkle framework, you can run the following command in Terminal:
find /Applications -path ‘*Autoupdate.app/Contents/Info.plist’ -exec echo {} ; -exec grep -A1 CFBundleShortVersionString ‘{}’ ; | grep -v CFBundleShortVersionString