Security researcher Radoslaw Karpowicz has discovered a flaw in how the Sparkle Updater framework broadcasts app updates to Mac users.
The Sparkle Updater framework is a popular component used inside many common Mac apps. Developers use Sparkle to automate their app's update process and not have users check their site on a daily basis.
Setting up the Sparkle Updater means implementing a client-side component inside each app, a relatively simple task for most Mac app developers, but also setting up a Sparkle update server, called an AppCast server. AppCast is an RSS-like protocol which broadcasts app update notifications and release notes when the developer launches a new version. All this data is sent out via XML messages. The user of a Sparkle-enabled application can check for updates manually via the app's menu, or the app will do it for him automatically at regular time intervals.
Mr. Karpowicz discovered that all this update information was sent out in HTTP. Apps that do this include Adium (Pidgin alternative for Mac), Coda, iTerm, Facebook Origami, Pixelmator, SequelPro, Tunnelblick, and VLC. These are the apps that the researcher tested, but others could also broadcast update info.
As he describes on his blog, Mr. Karpowicz was able to set up a MitM (Man-in-the-Middle) attack by intercepting update requests from the Appcast server. He then modified the update message XML request and added his own malicious code.
Sparkle exposed users to RCE and XXE exploits
Because the Sparkle library was using the WebView component to process some of the data packed in the XML file, in his experiments, Mr. Karpowicz was able to leverage this entry point and escalate his attack to trigger and execute code on the underlying OS X system. Based on an attacker's skills and his ability to chain Mac OS X exploits together, theoretically, a total system compromise is possible.
The developer was also able to force the local system to allocate more memory to the update process than needed, creating a quasi-DoS (Denial of Service) state, and even launch an XXE (XML External Entity) attack that led to the disclosure of local files. The researcher contacted the developers of the Sparkle Updater framework, who released version 0.13.1 to address this issue. Mr. Karpowicz also published (technical) instructions on how to test a Mac app and see if it's vulnerable to this particular Sparkle vulnerability.