Security researcher Radoslaw Karpowicz has discovered a flaw in the way Sparkle Updater framework transmits application updates to Mac users.
The Sparkle Updater framework is a popular feature used within many popular Mac applications. Developers use Sparkle to automate the process of upgrading their application, so that users do not have to control their computer on a daily basis.
Η ρύθμιση του Sparkle Updater περιλαμβάνει την εφαρμογή ενός προγράμματος-πελάτη στο εσωτερικό κάθε εφαρμογής, μια σχετικά απλή υπόθεση για τους περισσότερους προγραμματιστές εφαρμογών Mac, αλλά και τη δημιουργία ενός διακομιστή ενημέρωσης του Sparkle, που ονομάζεται server AppCast.
AppCast looks a lot like the RSS protocol that sends app update notifications and launches release notes when each developer releases a new version. All this data is sent via XML messages.
Mr Karpowicz found that all of this update information was sent over HTTP. The applications that tried and included the error are: Adium, Coda, iTerm, Facebook Origami, Pixelmator, SequelPro, Tunnelblick, and VLC. Of course the researcher is sure that there will be others in the ones he has not tried.
As he describes in his blog, that he was able to create attacks MITM (Man-in-the-middle) παρακρατώντας τις ειδοποιήσεις των ενημερώσεων στον διακομιστή Appcast. Στη συνέχεια τροποποιούσε το αίτημα στο XML και πρόσθετε το δικό του malicious code.
The researcher has contacted the developers of Sparkle Updater, which released version 0.13.1 to address this issue.
Mr Karpowicz has published a PoC to demonstrate the specific vulnerability.