Revised App Tightens OS X Security

Wednesday, February 3, 2016 @ 09:02 AM gHale

A new version of the Sparkle Updater framework released to mitigate a flaw in how it broadcasts app updates to Mac users.

The Sparkle Updater framework is a component used inside common Mac apps. Developers use Sparkle to automate their app’s update process so users don’t have to check their site on a daily basis.

Apple Releases 28 Security Fixes
Malware Targeting iOS, OS X gets Stronger
DDoS Attacks Hit MySQL Servers
New Types of DDoS Attacks

Setting up the Sparkle Updater means implementing a client-side component inside each app, but also setting up a Sparkle update server, called an AppCast server, said researcher Radoslaw Karpowicz, who discovered the vulnerability.

AppCast is an RSS-like protocol which broadcasts app update notifications and release notes when the developer launches a new version. All this data goes out via XML messages.

The user of a Sparkle-enabled application can check for updates manually via the app’s menu, or the app will do it for him automatically at regular time intervals.

Karpowicz found all this update information went out via HTTP. Apps that do this include Adium (Pidgin alternative for Mac), Coda, iTerm, Facebook Origami, Pixelmator, SequelPro, Tunnelblick, and VLC. These are the apps that the researcher tested, but others could also broadcast update info.

By setting up a Man-in-the-Middle (MitM) attack by intercepting update requests from the Appcast server, he then modified the update message XML request and added his own malicious code, Karpowicz said in a blog post.

Because the Sparkle library was using the WebView component to process some of the data packed in the XML file, in his experiments, Karpowicz leveraged this entry point and escalate his attack to trigger and execute code on the underlying OS X system.

The developer was also able to force the local system to allocate more memory to the update process than needed, creating a Denial of Service (DoS) state, and even launch an XML External Entity (XXE) attack that led to the disclosure of local files.

Karpowicz contacted the developers of the Sparkle Updater framework, who released version 0.13.1 to address this issue.