Partner --> MacStrategy
Amazon UK Mac Software Affiliate Link

Sparkle update vulnerability

by Graham Needham (BH) on 10th February 2016

There is a reported and confirmed security vulnerability in the Sparkle update mechanism which is used by many third party (non-Apple) software applications to enable automatic updates. The vulnerability only exists in specific applications and specific situations so the risk is low but there is still a risk to any Apple Macintosh computer that may be running these applications. Read on for some simple questions and answers…

Q. What is Sparkle?

A. Sparkle is an independently developed bit of software used by many software developers to enable automatic software updates for their applications. A Sparkle based software update notification will usually look something like this:
Example Sparkle Update Message

Q. What's the vulnerability?

A. If the software developer is using a vulnerable version of Sparkle and allows updates to be installed over a normal, non-encrypted HTTP session you are vulnerable. It's possible to use a Man-In-The-Middle (MITM) attack to fool your software application into reporting that there is an update available (when there isn't) and then to execute code on your computer to do something malicious e.g. install malware/viruses, delete files, etc.

Q. What are the Sparkle developers doing to fix this vulnerability?

A. They have updated Sparkle to not allow software updates over HTTP. However, the software developers using Sparkle need to update their own software with the updated Sparkle or they need to only use a secure HTTPS connection for installing updates.

Q. What versions of Sparkle are vulnerable/affected?

A. Versions earlier than 1.13.1.

Q. Does this affect OS X?

A. This is a Sparkle and software developer issue that leverages the way OS X's WebView and Finder operate - it's possible Apple could update both of these to negate the impact of this vulnerability but the onus is primarily on the software developers that use Sparkle in their software to resolve the issue.

Q. Does this affect applications developed by Apple?

A. No.

Q. Does this affect applications purchased/installed via the Mac App Store?

A. No - the Mac App Store does not use Sparkle to update software purchased/installed via the Mac App Store.

Q. Does this affect iOS or my iPhone/iPad/iPod touch?

A. No.

Q. Does this affect Adobe Creative Suite?

A. No - Adobe does not use Sparkle and they have their own update software mechanism (albeit they are awfully bad at writing/testing their own software).

Q. Does this affect Microsoft Office?

A. No - Microsoft does not use Sparkle and they have their own update software mechanism.

Q. Which software developers use Sparkle?

Q. How can I tell which applications I have that use Sparkle and what version of Sparkle they use?

A. Go to Macintosh HD > Applications > Terminal and run this command: find /Applications/ -path '*Sparkle.framework*/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString It may take a few minutes to run this report but once it's finished you will have a list of Applications installed on your computer that use Sparkle and the version of Sparkle they use. You are looking for any applications that use v1.13.0 or earlier.
NOTE: This will report on applications within the Applications folder - if you have software installed elsewhere they will not be checked.
NOTE: Just because the application uses Sparkle v1.13.0 or earlier does not mean it is vulnerable - it is only vulnerable if the developer uses non-encrypted HTTP sessions to install software updates and this is a lot more difficult to tell. If you're not sure it's best to er on the side of caution.
NOTE: On the 12th February 2016 Phil Stokes updated his DetectX software application utility so that it can help identify all applications and preference panes that use the vulnerable versions of Sparkle and list those that may be using non-encrypted HTTP sessions for installing updates (DetectX is donation-ware for non-commercial users, commercial users need to buy a licence).

Q. Why are so many developers still using old versions of Sparkle?

A. Newer versions of Sparkle only run on OS X 10.8 or higher so if an application developer wants to support OS X 10.7, Mac OS X 10.6 or even earlier they must use an earlier version of Sparkle. In this scenario the onus is on the developer to make sure they are using encrypted HTTPS sessions for installing updates.

Q. What are the circumstances in which I might be vulnerable?

A. All of the following criteria must be met for you to be vulnerable:
  1. A software application installed on your computer uses a vulnerable version of Sparkle.
  2. That software application allows updates to be installed over a normal, non-encrypted HTTP session.
  3. That software application must be running.
  4. At that moment in time there is a Man-In-The-Middle (MITM) attack on the network you are using - this is most likely when using a public/non-secure Wi-Fi network without using a VPN and sending all traffic over that VPN. However, it is still potentially possible to exploit this vulnerability but any attackers would have to be government agencies or someone with access to primary internet/networking infrastructure, all of which is less likely.

Q. What should I do?

A. I recommend doing the following (but don't do this on a public/non-secure Wi-Fi network):
  1. Run the command in the Q&A above and save/print the list of applications that are possibly vulnerable.
  2. For each application in the above list:
    • Go to the software developer's web site and check whether they have released an update fixing this issue or they have specifically issued a notice that they do not use non-encrypted HTTP sessions for installing updates - if they have issued an update fixing the issue download the update from the web site and install it manually.
    • If an application does not have an update fixing the issue and there is no notice from the developer that they do not use non-encrypted HTTP sessions for installing updates, run the application and go to it's preferences - look for the automatically check for updates (or similar) option and turn this option OFF temporarily until a secure update has been released. Unfortunately this means you won't get a notification when an update to fix this issue is released for this application (you will need to check for and install any updates manually) but at least it will enhance your security. If the application does not have a preference for automatically checking for updates - do not open the application/temporarily delete it until a secure update is available
    • If an application does not have an update fixing the issue and there is no notice from the developer that they do not use non-encrypted HTTP sessions for installing updates, where possible, contact the developer to ask them whether they use encrypted HTTPS sessions for installing updates or when they are going to fix the issue and release an update
  3. If you get a Sparkle update notification (like the one pictured at the top of this blog post) do not tick the "Automatically download and install updates in the future" option until the application is fixed.
  4. Do not update third party applications when using a public/non-secure Wi-Fi network unless you are using a VPN and sending all traffic over that VPN.

Q. What applications are affected?

A. There are lots of applications that use Sparkle - there is a large list here but note that this list does not state what versions of Sparkle the application uses and/or whether the software developer uses non-encrypted HTTP sessions for installing updates. Here are some applications we know have been updated to fix the issue so if you are using them update them now (unless you are on a public/non-secure Wi-Fi network):
  • Adium - fixed in v1.5.10.1 or later
  • AppCleaner - fixed in v3.3 or later
  • AppDelete - fixed in v4.2.4 or later
  • BatChmod - fixed in v1.7 beta 5 or later
  • BetterTouchTool - fixed in v1.55 or later
  • BlueHarvest - fixed in v6.3.6 or later
  • BTT - fixed in v1.55 (470) or later
  • Dash - fixed in v3.2.2 (192) or later
  • Default Folder - fixed in v5.0.2 or later
  • Espionage - fixed in v3.6.5 or later
  • Graphic Converter 9 - fixed in v9.7.5 or later
  • iReal Pro - fixed in v7.0 or later
  • MacBreakZ - fixed in v5.25 or later
  • Malwarebytes Anti-Malware for Mac - fixed in v1.2 or later
  • Name Mangler - fixed in v3.3.5 or later
  • Sequel Pro - fixed in v1.1.0.1 or later
  • SimpleImage - fixed in v6.1.6 or later
  • Sketch - fixed in v3.5.2 or later
  • Transmission - fixed in v2.90 or later
  • Trim Enabler - fixed in v3.4.3 or later
  • Tunnelblick - fixed in v3.5.6 build 4270.4505 (stable) or v3.6beta20 build 4505 (beta) or later
  • Versatil Markdown - fixed in v1.1.4 or later
  • VLC - fixed in v2.2.2 or later
If you are a software developer and you don't use non-encrypted HTTP sessions for installing updates or have updated your software to use the updated Sparkle framework and your product(s) are not on the list above let MacStrategy know and we'll add your product(s) to the list.

Blog Post Author = Graham Needham (BH)
Blog Post Created On = 10th February 2016
Blog Post Last Revised = 25th January 2018 12:48
Blog Post URL = https://www.macstrategy.com/blog_post.php?30

This blog post is representative of the blog author's individual opinions and as such any opinions that may be expressed here may not necessarily reflect the views of everyone at MacStrategy or the holding company Burning Helix.

See all blog postings for all countries
Twitter Logo
© Burning Helix s.r.o.

Printed on / /

© Burning Helix s.r.o.