It would seem that a massive amount of Mac apps are vulnerable to man-in-the-middle attacks because of a flaw in a third-party software updater.
The security hole exists in the Sparkle Updater framework – which is used to receive automatic updates by a large amount of apps on Apple's computers including uTorrent, Camtasia and Sketch – and could be used by an attacker to hijack the victim's machine, providing the attacker is on the same network (connected to the same Wi-Fi hotspot, for example).
The vulnerability was highlighted by a security researcher known simply as Radek who posted in detail on the exploit, as Ars Technica reports, and tested it working on both El Capitan, the latest version of OS X, and the previous version, Yosemite. He said that a "huge" amount of apps are affected.
Radek notes: "The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response)."
In other words, apps which use unencrypted HTTP (as opposed to HTTPS) and the vulnerable version of Sparkle Updater are open to being exploited.
Update that Updater, devs...
A new version of Sparkle Updater which addresses this issue (and a second lesser vulnerability Radek pointed out) is already available, but software developers may not have updated their product to use it yet.
Hence this is a bit of a minefield in terms of what apps could be affected – obviously it's only software which uses Sparkle, but not all these apps use insecure HTTP, and some programs may have already moved to the latest version of Sparkle Updater.
So for the moment, while developers patch up their software now news of this vulnerability has become widespread, if you're concerned about the apps on your machine then as Ars Technica advises, you're best off avoiding the likes of public Wi-Fi hotspots.
The incident is also another reminder that Mac security isn't cast-iron, a belief still held by some, but one being rapidly eroded these days.
No comments:
Post a Comment