Losing their Sparkle: vulnerabilities in updaters

Most Mac security experts have been warning for some time that you should only trust apps and updates which are delivered over secure connections, including those from secure services such as the Mac App Store, and those obtained over HTTPS, but not plain old HTTP.

This is because of the ease with which unsecured connections can be subverted, so that you end up with malware rather than the app or update which you thought you were getting.

When you use a service like the App Store, there should be no doubt that your connection with it is secure. This does not guarantee that everything you obtain from that service is free of malware – the XcodeGhost problem last year showed how reliant we are on Apple checking apps before they are offered for download – but places the burden on the service operator.

When you download apps and updates through your browser, you can inspect the connection information in the browser window to confirm that it uses HTTPS, as distinguished by the padlock icon.

But a lot of apps offer convenient in-app update facilities, commonly using the Sparkle Update framework.

Now Radek, on the Vulnerable Security blog, has shown that many apps which use Sparkle do not use HTTPS connections (which are recommended), only using vulnerable HTTP ones instead.

The ultimate fix is for all developers who use the Sparkle Update framework to update their apps to require HTTPS connections throughout. Until they do, it is difficult but possible to detect when plain old HTTP is being used, and the update is vulnerable. To do that you will need to run a packet sniffer, such as Wireshark or Cocoa Packet Analyzer, and see which protocol is being used. That is hardly practical for ordinary users, although system administrators responsible for pushing out updates to large networks should consider that, perhaps.

So far, developer response has been receptive and encouraging, and updaters are being updated to address the problem. Hopefully this will be essentially complete before anyone is nasty enough to try to exploit it.

Thanks to Patrick Wardle of Synack for drawing attention to this article.