A Severe Security Flaw Affects A Ton Of Mac Apps, Here’s Why


The last couple of years haven't been great for Apple in security stakes. We saw a numerous amount of security flaws and loopholes on both mobile and desktop, which despite being patched over time, put a serious question mark over Cupertino's watertight claims in this department. Now it seems things are about to take a new turn on Cupertino's desktop platform - OS X - as a new security flaw has emerged, and it puts an alarming amount of Mac apps in the affected region.

gatekeeper vulnerability Mac Security

A Third-Party Updater In A Ton Of Mac Apps Has A Major Security Flaw

The apps in question are affected due to a security flaw in a third-party updater (Sparkle Updater) which apps use to update themselves over the air. And surprisingly a lot of big name apps are in the crossfire, such as Sketch, uTorrent etc.

The security flaw, if utilized, allows a potential hacker to initiate a man in the middle attack, allowing them to install malicious code on a Mac, subsequently snooping through personal data if they so desire. Not pretty at all if you're asking us.

The discovery of this flaw was made by a security researcher who goes by the name Radek, reports Ars Technica:

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication. A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.

If you think that is alarming enough, here's a demo of the flaw in action. It's a proof of concept, though.

The interesting thing here is that Sparkle Updater has already received an update itself, which of course, patches the security flaw. But the thing is, developers have to integrate that update within their apps in order to make things right again. And given that many apps utilize Sparkle, therefore it's very tough to gauge exactly how many apps are affected by this flaw. But if the report is to be believed, then a 'huge' number of apps are affected.

VLC flaw

Let's just hope app developers are swift enough to incorporate the update in order to fix things right away. VLC did, at least.