Sparkle Got Ya Down?
|
|
OP
Joined: Aug 2009
|
If the Sparkle security issue has your attention and you find it onerous to determine which of your apps may be at risk, DetectX 2.1.3 to the rescue. It checks for all apps and Pref Panes on your system that need Sparkle updating, (The results appear in the log drawer after any Detector Search.) Of course, many/most developers have yet to release their app with the updated Sparkle. And older/legacy apps may not get updated at all... Still, it's probably best to at least know where perils lurk.
Harv 27" i7 iMac (10.13.6), iPhone Xs Max (12.1)
Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
Aye, matey ... and what be this Sparkle of which ye speak?
|
|
Re: Sparkle Got Ya Down?
|
|
OP
Joined: Aug 2009
|
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this. A partial list of affected apps can be found here. And there ye have it me buck'o.
Harv 27" i7 iMac (10.13.6), iPhone Xs Max (12.1)
Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
...what be this Sparkle of which ye speak? MacStrategy has a post explaining the Sparkle update vulnerability, while this recent entry on the Tao Effect Blog suggests that running Firefox on an account protects that account from the Sparkle vulnerability, even if the developers haven’t updated Sparkle in their software.
alternaut ◉ moderator
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
And there ye have it me buck'o. Not so much. Still no idea what Sparkle is. Googling it comes up with a couple of movies with that title and a cleaning service. Ostensibly you're talking about some sort of app which has security issues. Since I use Firefox, alternaut's comments would seem to indicate that I'd be protected even in my ignorance.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this. A partial list of affected apps can be found here. And there ye have it me buck'o. So as not to alarm people needlessly... Your linked list is not a list of affected apps, merely apps that use Sparkle.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Sparkle is the apparatus developers use to notify users of updates and install them. When you see this screen, Sparkle is at work.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
From your linked TAO EFFECT BLOG doc: It turns out, if you’ve ever opened Firefox, you are not vulnerable (to the FTP version of the attack), even if Firefox is not running and you’ve manually set the Finder as the default FTP handler. (Emphasis added) I either missed or didn't follow anything about the non-FTP version of the attack. Important: Does running DNSCrypt have any effect on this vulnerability?
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
Sparkle is the apparatus developers use to notify users of updates and install them. When you see this screen, Sparkle is at work. All that is is the sparkle-project.org's homepage. Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Still no idea what Sparkle is. Sparkle is the apparatus developers use to notify users of updates and install them. When you see this screen, Sparkle is at work. All that is is the sparkle-project.org's homepage. Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like. That home page answered your initial question, and this, I think, is the answer to your new question... Any time one of your apps pops up a Sparkle dialog box you may be vulnerable to a MItM attack if you click on "Install Update". According to alternaut's linked doc, you may be safe if you've launched Firefox at least once in each account in which you use Sparkle, but as far as I can see, the best approach to dealing with the vulnerability (which, by the way, is the result of a flaw in OS X, not Sparkle) is to simply avoid using it unless you're 100% certain that the app asking to be updated is asking via a secure version. Use MacUpdate or the dev's website instead. And if an app asks to be updated to a secure version of Sparkle via a vulnerable version...
Last edited by artie505; 02/13/16 08:57 AM. Reason: Add source of vulnerability
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
I must not be making myself clear. We're talking at skewed purposes. I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc. May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 8
|
Joined: Aug 2009
Likes: 8 |
As I understand it, Sparkle is the mechanism by which developers can create a "Check for updates…" menu item in their application that can lead to a download and installation of an update of their software from within the software itself.
Obviously this requires an Internet connection and apparently the old code that does the download, etc. can allow an intruder to get in and do nefarious things.
You won't see an application or mention of "Sparkle" on your computer any more than you would see the name of the coding language used to build an application (unless you are using the language yourself).
On a Mac since 1984. Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
I must not be making myself clear. We're talking at skewed purposes. I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc. May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps? Sparkle is a piece of code that developers can insert into their programs to have the programs self-update. You'll never explicitly install Sparkle; instead, you install programs whose developers have chosen to use Sparkle. Unfortunately, Sparkle has a security flaw that could, under certain highly controlled circumstances, allow malicious actors to intercept a Sparkle update and download malware instead. Say, for example, that you use the program Adium or some other app that uses Sparkle. You run it and it says "an update to this program is available, do you want to install it?" You say yes. The malicious actors could insert themselves between the Web site of the company that makes your software and you, so that instead of downloading the new version of Adium (or whatever), you download malware instead.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
From that latest description and the fact that I always download/update applications directly from the producers (eg, Apple, Microsoft, Adobe, Oracle, Mozilla) and never through third parties (such as MacUpdate) I take it that I'm likely not at risk. Please correct me if I'm wrong and, if so, advise what can be done about it.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps? Life sure would have been easier if you had asked that specific question earlier. Under the circumstances you just described you're at absolutely zero risk. Without knowing it, though, you may actually have an app or utility that uses Sparkle, and it may pop up an update request at some point. In that event, simply click on the "Skip This Version" button. (It's clicking on the "Install Update" button that's got the potential to get you into trouble.)
Last edited by artie505; 02/14/16 09:19 AM. Reason: Correct button names
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Not that I ever use Sparkle, but if I did, would DNSCrypt derail somebody trying to exploit the vulnerability we've been discussing?
Thanks.
Last edited by artie505; 02/14/16 09:38 AM. Reason: Better
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
Life sure would have been easier if you had asked that specific question earlier. Under the circumstances you just described you're at absolutely zero risk. If Pendragon and/or others had defined at the outset what Sparkle is (rather than assuming a priori awareness of what it's about — see the first sentence of the first post to see what I mean), then I could have framed the question(s) more knowledgeably. That's why it took so long to get around to phrasing it appropriately. Running through the thread makes it pretty clear that I was trying to home in on what the application is and does and subsequently how it might affect me.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Yeah, this thread did begin pretty obscurely...an approach to dealing with a never before mentioned vulnerability in a never before (I think) mentioned app that many users don't even know is on their Macs. My own bad, though, for thinking that the Sparkle homepage had sufficient info to answer your question even in the vacuum in which you were working. I'm glad it's all worked out now.
Last edited by artie505; 02/14/16 12:17 PM. Reason: Expand
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 16
Moderator
|
Moderator
Joined: Aug 2009
Likes: 16 |
There appears to be a lot of misunderstanding if what Sparkle is, what the vulnerability is, and whether or not you have "it" on your Mac or you use "it". - Sparkle is a legitimate Open Source framework used by a variety of application developers including some of the big guys
- If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
- The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability
- Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
- The only way of removing Sparkle from an app that uses it is to delete the app.
- It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.
- Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring.
- You can find an authoritative discussion of the Sparkle vulnerability on The Hacker News
If we knew what it was we were doing, it wouldn't be called research, would it?
— Albert Einstein
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Nice post..lays it out more clearly than has heretofore been done. The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability The down-side to that approach is that it costs you the notification feature, so I'll offer up the idea of leaving Sparkle active but just not using it to update, which I think covers all bases. Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring. That follows The Hacker News's The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.
The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel. but it's at odds with alternaut's linked doc which says Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most). Any idea about that? As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer. (Emphasis added) Is that "in the same network" as mitigating a factor as it sounds? And finally, does DNSCrypt, which protects against MitM attacks, protect against this vulnerability? Thanks.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
but it's at odds with alternaut's linked doc which says Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most). Any idea about that? Part of the issue is there are actually two potential vulnerabilities, one that's purely in Sparkle and one that capitalizes on a mechanism in OS X. The purely Sparkle vulnerability is that older Sparkle implementations fetch information about application updates over HTTP, not HTTPS. If you are on WiFi when you do an update, a malicious person on the same WiFi connection can intercept the request for the app update information and modify it, causing Sparkle to download an app from his computer instead of the update for the app you're trying to update. The second flaw pertains to how the Finder works. The Finder can be set to be the computer's FTP handler. If the FTP handler is set to Finder, then a call to an FTP address will result in the FTP server being mounted as a network hard drive in the Finder. This can result in an attacker being able to download a file onto your computer via FTP from a malicious FTP server. The former problem is a problem in Sparkle that's fixed by fetching app update requests over HTTPS, not HTTP. The latter is not so much a bug as the way OS X was designed to work, though the design is perhaps poorly thought out.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Thanks for the clarification, tacit.
That explains the FTP version of the attack mentioned in the Tao Effect Blog which, by the way, doesn't mention the HTTP/HTTPS vulnerability.
It sounds like we've finally got a complete picture of what we're up against (and it now appears that having opened Firefox is not all that it's been cracked up to be).
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 4
|
Joined: Aug 2009
Likes: 4 |
Nice post..lays it out more clearly than has heretofore been done. ... Thanks. Indeed it do [ sic] ... much appreciated.
|
|
Re: Sparkle Got Ya Down?
|
Joined: Aug 2009
Likes: 1
Moderator
|
Moderator
Joined: Aug 2009
Likes: 1 |
- If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
- Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
- It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.
For those who do want to know about the underlined parts of the selected points from Joemikeb’s post, regardless of their theoretically small exposure to the Sparkle vulnerability, Sqwarq Software’s DetectX utility added a Sparkle security check for all apps and Pref Panes on the system starting with v 2.13. It will list all such items that use the vulnerable (= HTTP using) versions of the Sparkle.framework. To access this Sparkle search, check the relevant box in DetectX’s preferences before you run the (‘All Searches’) Search. This may take a minute or so, and might be ‘disappointing’ (e.g., my test was negative). PS, Regardless of search results present in the main window or communicated by popup (’Negative’), all details are listed in DetectX’s log. This can be accessed by selecting ‘Log Drawer’ from the ‘View’ menu, or by clicking the white-on-blue ‘ i’ button in the lower left of the results window. The Sparkle results are found toward the end of the log.
Last edited by alternaut; 02/15/16 05:17 PM. Reason: added detail
alternaut ◉ moderator
|
|
|
|