Camtasia, uTorrent, DuetDisplay, Sketch, you name it, are just some of a huge number of Mac apps at risk of being hijacked: they are the potential victims of man-in-the-middle attacks. The vulnerability lies within the tangles of Sparkle, the third-party software framework that Mac apps utilize to receive updates.
A vulnerable version of Sparkle, together with an unencrypted HTTP channel used to receive data is the noxious brew that can result into Mac apps being exposed. Attackers could potentially tamper with the interaction between the end user and the server by injecting malicious code. Researchers by the name of Radek and Margaritelli demonstrated that vulnerabilities could be exploited on newer – a fully patched Mac with VLC Media Player’s latest version installed – or older Mac platforms.
Radek indicated that a “huge” number of Mac apps are affected, but was not able to specify the exact amount as it is difficult to identify all the conditions necessary for the apps to be vulnerable to attacks.
Jonathan Zdziarsky, a computer forensics expert, listed also the Hopper reverse engineering tool and DXO Optics Pro as prospective victims of man-in-the-middle “ambushes”.
Users be reassured that not all of the Mac apps communicate with an unencrypted, hence insecure, HTTP channel, nor all of them use a vulnerable version of Sparkle: as an example, Margaritelli indicates Adium instant messenger as using HTTP channels for updates and yet it’s not thought to be vulnerable.
Radek pointed out that another, separate vulnerability was found in Sparkle – a less threatening one, though – through which attackers could have easily replaced one of the update files with a malicious one. Even though Sparkle already released fixes for both vulnerabilities, the problem lies in the installing part: Radek, in fact, explained that developers would have to go through the process of having to update Sparkle framework within their apps, which is not exactly child’s play.
Challenges lie on both sides: app developers are grappled with security flaws and end users are struggling to find secure apps. It’s good practice, when not sure if a Mac app is exposed to malicious attacks, not to use unsecured Wi-Fi networks and opt instead for secured connections.
Even in this case, there is no certainty of totally being out of danger but this will definitely reduce the chances of being exposed as attackers would have to have access to a phone network or Internet backbone and possibly be government spies.