An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#38821 - 02/12/16 11:16 AM Sparkle Got Ya Down?
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
If the Sparkle security issue has your attention and you find it onerous to determine which of your apps may be at risk, DetectX 2.1.3 to the rescue. It checks for all apps and Pref Panes on your system that need Sparkle updating,

(The results appear in the log drawer after any Detector Search.)

Of course, many/most developers have yet to release their app with the updated Sparkle.

And older/legacy apps may not get updated at all...

Still, it's probably best to at least know where perils lurk.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38828 - 02/12/16 01:42 PM Re: Sparkle Got Ya Down? [Re: Pendragon]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Aye, matey ... and what be this Sparkle of which ye speak? confused smirk

Top
#38829 - 02/12/16 02:04 PM Re: Sparkle Got Ya Down? [Re: grelber]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this.

A partial list of affected apps can be found here.

And there ye have it me buck'o. wink
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38830 - 02/12/16 02:12 PM Re: Sparkle Got Ya Down? [Re: grelber]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: grelber
...what be this Sparkle of which ye speak? confused smirk

MacStrategy has a post explaining the Sparkle update vulnerability, while this recent entry on the Tao Effect Blog suggests that running Firefox on an account protects that account from the Sparkle vulnerability, even if the developers haven’t updated Sparkle in their software.
_________________________
alternaut moderator

Top
#38833 - 02/12/16 03:54 PM Re: Sparkle Got Ya Down? [Re: Pendragon]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: Pendragon
And there ye have it me buck'o. wink

Not so much. Still no idea what Sparkle is. Googling it comes up with a couple of movies with that title and a cleaning service.

Ostensibly you're talking about some sort of app which has security issues.

Since I use Firefox, alternaut's comments would seem to indicate that I'd be protected even in my ignorance.

Top
#38834 - 02/12/16 03:55 PM Re: Sparkle Got Ya Down? [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Originally Posted By: Pendragon
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this.

A partial list of affected apps can be found here.

And there ye have it me buck'o. wink

So as not to alarm people needlessly... Your linked list is not a list of affected apps, merely apps that use Sparkle.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38835 - 02/12/16 03:59 PM Re: Sparkle Got Ya Down? [Re: grelber]
artie505 Online


Registered: 08/04/09
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38836 - 02/12/16 04:10 PM Re: Sparkle Got Ya Down? [Re: alternaut]
artie505 Online


Registered: 08/04/09
From your linked TAO EFFECT BLOG doc:

Quote:
It turns out, if you’ve ever opened Firefox, you are not vulnerable (to the FTP version of the attack), even if Firefox is not running and you’ve manually set the Finder as the default FTP handler. (Emphasis added)

I either missed or didn't follow anything about the non-FTP version of the attack.

Important: Does running DNSCrypt have any effect on this vulnerability?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38840 - 02/12/16 10:48 PM Re: Sparkle Got Ya Down? [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: artie505
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.

All that is is the sparkle-project.org's homepage.
Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like.

Top
#38841 - 02/13/16 12:44 AM Re: Sparkle Got Ya Down? [Re: grelber]
artie505 Online


Registered: 08/04/09
Originally Posted By: grelber
Still no idea what Sparkle is.

Originally Posted By: artie505
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.

All that is is the sparkle-project.org's homepage.
Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like.

That home page answered your initial question, and this, I think, is the answer to your new question...

Any time one of your apps pops up a Sparkle dialog box you may be vulnerable to a MItM attack if you click on "Install Update".

According to alternaut's linked doc, you may be safe if you've launched Firefox at least once in each account in which you use Sparkle, but as far as I can see, the best approach to dealing with the vulnerability (which, by the way, is the result of a flaw in OS X, not Sparkle) is to simply avoid using it unless you're 100% certain that the app asking to be updated is asking via a secure version.

Use MacUpdate or the dev's website instead.

And if an app asks to be updated to a secure version of Sparkle via a vulnerable version... tongue


Edited by artie505 (02/13/16 12:57 AM)
Edit Reason: Add source of vulnerability
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38844 - 02/13/16 06:10 AM Re: Sparkle Got Ya Down? [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
I must not be making myself clear. We're talking at skewed purposes.
I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc.
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?

Top
#38847 - 02/13/16 08:13 AM Re: Sparkle Got Ya Down? [Re: grelber]
Ira L Offline


Registered: 08/13/09
Loc: California
As I understand it, Sparkle is the mechanism by which developers can create a "Check for updates…" menu item in their application that can lead to a download and installation of an update of their software from within the software itself.

Obviously this requires an Internet connection and apparently the old code that does the download, etc. can allow an intruder to get in and do nefarious things.

You won't see an application or mention of "Sparkle" on your computer any more than you would see the name of the coding language used to build an application (unless you are using the language yourself).
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.14.x,; iPhones, iPods and iPads galore!

Top
#38852 - 02/13/16 03:53 PM Re: Sparkle Got Ya Down? [Re: grelber]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: grelber
I must not be making myself clear. We're talking at skewed purposes.
I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc.
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?


Sparkle is a piece of code that developers can insert into their programs to have the programs self-update. You'll never explicitly install Sparkle; instead, you install programs whose developers have chosen to use Sparkle.

Unfortunately, Sparkle has a security flaw that could, under certain highly controlled circumstances, allow malicious actors to intercept a Sparkle update and download malware instead.

Say, for example, that you use the program Adium or some other app that uses Sparkle. You run it and it says "an update to this program is available, do you want to install it?" You say yes. The malicious actors could insert themselves between the Web site of the company that makes your software and you, so that instead of downloading the new version of Adium (or whatever), you download malware instead.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#38854 - 02/13/16 04:31 PM Re: Sparkle Got Ya Down? [Re: tacit]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
From that latest description and the fact that I always download/update applications directly from the producers (eg, Apple, Microsoft, Adobe, Oracle, Mozilla) and never through third parties (such as MacUpdate) I take it that I'm likely not at risk.
Please correct me if I'm wrong and, if so, advise what can be done about it.

Top
#38855 - 02/13/16 04:39 PM Re: Sparkle Got Ya Down? [Re: grelber]
artie505 Online


Registered: 08/04/09
Originally Posted By: grelber
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?

Life sure would have been easier if you had asked that specific question earlier.

Under the circumstances you just described you're at absolutely zero risk.

Without knowing it, though, you may actually have an app or utility that uses Sparkle, and it may pop up an update request at some point. In that event, simply click on the "Skip This Version" button. (It's clicking on the "Install Update" button that's got the potential to get you into trouble.)


Edited by artie505 (02/14/16 01:19 AM)
Edit Reason: Correct button names
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38856 - 02/13/16 06:48 PM Re: Sparkle Got Ya Down? [Re: tacit]
artie505 Online


Registered: 08/04/09
Not that I ever use Sparkle, but if I did, would DNSCrypt derail somebody trying to exploit the vulnerability we've been discussing?

Thanks.


Edited by artie505 (02/14/16 01:38 AM)
Edit Reason: Better
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38861 - 02/14/16 12:32 AM Re: Sparkle Got Ya Down? [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: artie505
Life sure would have been easier if you had asked that specific question earlier.
Under the circumstances you just described you're at absolutely zero risk.

If Pendragon and/or others had defined at the outset what Sparkle is (rather than assuming a priori awareness of what it's about — see the first sentence of the first post to see what I mean), then I could have framed the question(s) more knowledgeably. That's why it took so long to get around to phrasing it appropriately. Running through the thread makes it pretty clear that I was trying to home in on what the application is and does and subsequently how it might affect me.

Top
#38862 - 02/14/16 01:37 AM Re: Sparkle Got Ya Down? [Re: grelber]
artie505 Online


Registered: 08/04/09
Yeah, this thread did begin pretty obscurely...an approach to dealing with a never before mentioned vulnerability in a never before (I think) mentioned app that many users don't even know is on their Macs. tongue

My own bad, though, for thinking that the Sparkle homepage had sufficient info to answer your question even in the vacuum in which you were working.

I'm glad it's all worked out now.


Edited by artie505 (02/14/16 04:17 AM)
Edit Reason: Expand
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38876 - 02/14/16 02:25 PM Re: Sparkle Got Ya Down? [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
There appears to be a lot of misunderstanding if what Sparkle is, what the vulnerability is, and whether or not you have "it" on your Mac or you use "it".
  • Sparkle is a legitimate Open Source framework used by a variety of application developers including some of the big guys
  • If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
  • The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability
  • Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
  • The only way of removing Sparkle from an app that uses it is to delete the app.
  • It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.
  • Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring. mad
  • You can find an authoritative discussion of the Sparkle vulnerability on The Hacker News
_________________________
joemikeb • moderator

Top
#38878 - 02/14/16 03:13 PM Re: Sparkle Got Ya Down? [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Nice post..lays it out more clearly than has heretofore been done.

Originally Posted By: joemmikeb
The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability

The down-side to that approach is that it costs you the notification feature, so I'll offer up the idea of leaving Sparkle active but just not using it to update, which I think covers all bases.

Originally Posted By: joemikeb
Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring.

That follows The Hacker News's

Quote:
The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.

The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel.

but it's at odds with alternaut's linked doc which says

Originally Posted By: Tao Effect Blog
Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most).

Any idea about that?

Originally Posted By: The Hacker News
As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer. (Emphasis added)

Is that "in the same network" as mitigating a factor as it sounds?

And finally, does DNSCrypt, which protects against MitM attacks, protect against this vulnerability?

Thanks.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38882 - 02/14/16 05:10 PM Re: Sparkle Got Ya Down? [Re: artie505]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: artie505

but it's at odds with alternaut's linked doc which says

Originally Posted By: Tao Effect Blog
Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most).

Any idea about that?


Part of the issue is there are actually two potential vulnerabilities, one that's purely in Sparkle and one that capitalizes on a mechanism in OS X.

The purely Sparkle vulnerability is that older Sparkle implementations fetch information about application updates over HTTP, not HTTPS. If you are on WiFi when you do an update, a malicious person on the same WiFi connection can intercept the request for the app update information and modify it, causing Sparkle to download an app from his computer instead of the update for the app you're trying to update.

The second flaw pertains to how the Finder works. The Finder can be set to be the computer's FTP handler. If the FTP handler is set to Finder, then a call to an FTP address will result in the FTP server being mounted as a network hard drive in the Finder. This can result in an attacker being able to download a file onto your computer via FTP from a malicious FTP server.

The former problem is a problem in Sparkle that's fixed by fetching app update requests over HTTPS, not HTTP. The latter is not so much a bug as the way OS X was designed to work, though the design is perhaps poorly thought out.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#38883 - 02/14/16 05:36 PM Re: Sparkle Got Ya Down? [Re: tacit]
artie505 Online


Registered: 08/04/09
Thanks for the clarification, tacit.

That explains the FTP version of the attack mentioned in the Tao Effect Blog which, by the way, doesn't mention the HTTP/HTTPS vulnerability.

It sounds like we've finally got a complete picture of what we're up against (and it now appears that having opened Firefox is not all that it's been cracked up to be).
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38886 - 02/15/16 12:11 AM Re: Sparkle Got Ya Down? [Re: artie505]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
Originally Posted By: artie505
Nice post..lays it out more clearly than has heretofore been done. ... Thanks.

Indeed it do [sic] ... much appreciated.

Top
#38896 - 02/15/16 08:33 AM Re: Sparkle Got Ya Down? [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: joemikeb
  • If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
  • Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
  • It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.

For those who do want to know about the underlined parts of the selected points from Joemikeb’s post, regardless of their theoretically small exposure to the Sparkle vulnerability, Sqwarq Software’s DetectX utility added a Sparkle security check for all apps and Pref Panes on the system starting with v 2.13. It will list all such items that use the vulnerable (= HTTP using) versions of the Sparkle.framework. To access this Sparkle search, check the relevant box in DetectX’s preferences before you run the (‘All Searches’) Search. This may take a minute or so, and might be ‘disappointing’ (e.g., my test was negative).


PS, Regardless of search results present in the main window or communicated by popup (’Negative’), all details are listed in DetectX’s log. This can be accessed by selecting ‘Log Drawer’ from the ‘View’ menu, or by clicking the white-on-blue ‘i’ button in the lower left of the results window. The Sparkle results are found toward the end of the log.


Edited by alternaut (02/15/16 09:17 AM)
Edit Reason: added detail
_________________________
alternaut moderator

Top

Moderator:  alternaut, cyn