SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
2 Feb 2016

OS X security compromised via the update process of popular mac apps

Security researcher Radoslaw Karpowicz has discovered a flaw in how the Sparkle Updater framework broadcasts app updates to Mac users.

The Sparkle Updater framework is a popular component used inside many common Mac apps. Developers use Sparkle to automate their app's update process and not have users check their site on a daily basis.

Setting up the Sparkle Updater means implementing a client-side component inside each app, a relatively simple task for most Mac app developers, but also setting up a Sparkle update server, called an AppCast server. AppCast is an RSS-like protocol which broadcasts app update notifications and release notes when the developer launches a new version. All this data is sent out via XML messages. The user of a Sparkle-enabled application can check for updates manually via the app's menu, or the app will do it for him automatically at regular time intervals.

Mr. Karpowicz discovered that all this update information was sent out in HTTP. Apps that do this include Adium (Pidgin alternative for Mac), Coda, iTerm, Facebook Origami, Pixelmator, SequelPro, Tunnelblick, and VLC. These are the apps that the researcher tested, but others could also broadcast update info.

As he describes on his blog, Mr. Karpowicz was able to set up a MitM (Man-in-the-Middle) attack by intercepting update requests from the Appcast server. He then modified the update message XML request and added his own malicious code.

Sparkle exposed users to RCE and XXE exploits

Because the Sparkle library was using the WebView component to process some of the data packed in the XML file, in his experiments, Mr. Karpowicz was able to leverage this entry point and escalate his attack to trigger and execute code on the underlying OS X system. Based on an attacker's skills and his ability to chain Mac OS X exploits together, theoretically, a total system compromise is possible.

The developer was also able to force the local system to allocate more memory to the update process than needed, creating a quasi-DoS (Denial of Service) state, and even launch an XXE (XML External Entity) attack that led to the disclosure of local files. The researcher contacted the developers of the Sparkle Updater framework, who released version 0.13.1 to address this issue. Mr. Karpowicz also published (technical) instructions on how to test a Mac app and see if it's vulnerable to this particular Sparkle vulnerability.

Tags:
OS X information leaks
Source:
Softpedia
1945
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015