An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Sparkle Got Ya Down?
#38821 02/12/16 07:16 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
If the Sparkle security issue has your attention and you find it onerous to determine which of your apps may be at risk, DetectX 2.1.3 to the rescue. It checks for all apps and Pref Panes on your system that need Sparkle updating,

(The results appear in the log drawer after any Detector Search.)

Of course, many/most developers have yet to release their app with the updated Sparkle.

And older/legacy apps may not get updated at all...

Still, it's probably best to at least know where perils lurk.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
Pendragon #38828 02/12/16 09:42 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Aye, matey ... and what be this Sparkle of which ye speak? confused smirk

Re: Sparkle Got Ya Down?
grelber #38829 02/12/16 10:04 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this.

A partial list of affected apps can be found here.

And there ye have it me buck'o. wink


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
grelber #38830 02/12/16 10:12 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: grelber
...what be this Sparkle of which ye speak? confused smirk

MacStrategy has a post explaining the Sparkle update vulnerability, while this recent entry on the Tao Effect Blog suggests that running Firefox on an account protects that account from the Sparkle vulnerability, even if the developers haven’t updated Sparkle in their software.


alternaut moderator
Re: Sparkle Got Ya Down?
Pendragon #38833 02/12/16 11:54 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: Pendragon
And there ye have it me buck'o. wink

Not so much. Still no idea what Sparkle is. Googling it comes up with a couple of movies with that title and a cleaning service.

Ostensibly you're talking about some sort of app which has security issues.

Since I use Firefox, alternaut's comments would seem to indicate that I'd be protected even in my ignorance.

Re: Sparkle Got Ya Down?
Pendragon #38834 02/12/16 11:55 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: Pendragon
Apparently, when a third party developer uses an outdated version of Sparkle, it leaves the user vulnerable to MitM attacks. See this.

A partial list of affected apps can be found here.

And there ye have it me buck'o. wink

So as not to alarm people needlessly... Your linked list is not a list of affected apps, merely apps that use Sparkle.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
grelber #38835 02/12/16 11:59 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
alternaut #38836 02/13/16 12:10 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
From your linked TAO EFFECT BLOG doc:

Quote:
It turns out, if you’ve ever opened Firefox, you are not vulnerable (to the FTP version of the attack), even if Firefox is not running and you’ve manually set the Finder as the default FTP handler. (Emphasis added)

I either missed or didn't follow anything about the non-FTP version of the attack.

Important: Does running DNSCrypt have any effect on this vulnerability?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38840 02/13/16 06:48 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: artie505
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.

All that is is the sparkle-project.org's homepage.
Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like.

Re: Sparkle Got Ya Down?
grelber #38841 02/13/16 08:44 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: grelber
Still no idea what Sparkle is.

Originally Posted By: artie505
Sparkle is the apparatus developers use to notify users of updates and install them.

When you see this screen, Sparkle is at work.

All that is is the sparkle-project.org's homepage.
Still not sure how that might affect or be of interest to me in terms of guarding against malware and the like.

That home page answered your initial question, and this, I think, is the answer to your new question...

Any time one of your apps pops up a Sparkle dialog box you may be vulnerable to a MItM attack if you click on "Install Update".

According to alternaut's linked doc, you may be safe if you've launched Firefox at least once in each account in which you use Sparkle, but as far as I can see, the best approach to dealing with the vulnerability (which, by the way, is the result of a flaw in OS X, not Sparkle) is to simply avoid using it unless you're 100% certain that the app asking to be updated is asking via a secure version.

Use MacUpdate or the dev's website instead.

And if an app asks to be updated to a secure version of Sparkle via a vulnerable version... tongue

Last edited by artie505; 02/13/16 08:57 AM. Reason: Add source of vulnerability

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38844 02/13/16 02:10 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
I must not be making myself clear. We're talking at skewed purposes.
I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc.
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?

Re: Sparkle Got Ya Down?
grelber #38847 02/13/16 04:13 PM
Joined: Aug 2009
Likes: 8
Offline

Joined: Aug 2009
Likes: 8
As I understand it, Sparkle is the mechanism by which developers can create a "Check for updates…" menu item in their application that can lead to a download and installation of an update of their software from within the software itself.

Obviously this requires an Internet connection and apparently the old code that does the download, etc. can allow an intruder to get in and do nefarious things.

You won't see an application or mention of "Sparkle" on your computer any more than you would see the name of the coding language used to build an application (unless you are using the language yourself).


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: Sparkle Got Ya Down?
grelber #38852 02/13/16 11:53 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Originally Posted By: grelber
I must not be making myself clear. We're talking at skewed purposes.
I don't know anything about Sparkle (other than that it's somehow related to downloads/updates); I don't have anything on my computer which relates to Sparkle; etc.
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?


Sparkle is a piece of code that developers can insert into their programs to have the programs self-update. You'll never explicitly install Sparkle; instead, you install programs whose developers have chosen to use Sparkle.

Unfortunately, Sparkle has a security flaw that could, under certain highly controlled circumstances, allow malicious actors to intercept a Sparkle update and download malware instead.

Say, for example, that you use the program Adium or some other app that uses Sparkle. You run it and it says "an update to this program is available, do you want to install it?" You say yes. The malicious actors could insert themselves between the Web site of the company that makes your software and you, so that instead of downloading the new version of Adium (or whatever), you download malware instead.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Sparkle Got Ya Down?
tacit #38854 02/14/16 12:31 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
From that latest description and the fact that I always download/update applications directly from the producers (eg, Apple, Microsoft, Adobe, Oracle, Mozilla) and never through third parties (such as MacUpdate) I take it that I'm likely not at risk.
Please correct me if I'm wrong and, if so, advise what can be done about it.

Re: Sparkle Got Ya Down?
grelber #38855 02/14/16 12:39 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: grelber
May I assume that I would have to actually have installed and use Sparkle to risk security issues? Or is Sparkle some sort of background application which other parties use to let me download/update apps?

Life sure would have been easier if you had asked that specific question earlier.

Under the circumstances you just described you're at absolutely zero risk.

Without knowing it, though, you may actually have an app or utility that uses Sparkle, and it may pop up an update request at some point. In that event, simply click on the "Skip This Version" button. (It's clicking on the "Install Update" button that's got the potential to get you into trouble.)

Last edited by artie505; 02/14/16 09:19 AM. Reason: Correct button names

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
tacit #38856 02/14/16 02:48 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Not that I ever use Sparkle, but if I did, would DNSCrypt derail somebody trying to exploit the vulnerability we've been discussing?

Thanks.

Last edited by artie505; 02/14/16 09:38 AM. Reason: Better

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38861 02/14/16 08:32 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: artie505
Life sure would have been easier if you had asked that specific question earlier.
Under the circumstances you just described you're at absolutely zero risk.

If Pendragon and/or others had defined at the outset what Sparkle is (rather than assuming a priori awareness of what it's about — see the first sentence of the first post to see what I mean), then I could have framed the question(s) more knowledgeably. That's why it took so long to get around to phrasing it appropriately. Running through the thread makes it pretty clear that I was trying to home in on what the application is and does and subsequently how it might affect me.

Re: Sparkle Got Ya Down?
grelber #38862 02/14/16 09:37 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Yeah, this thread did begin pretty obscurely...an approach to dealing with a never before mentioned vulnerability in a never before (I think) mentioned app that many users don't even know is on their Macs. tongue

My own bad, though, for thinking that the Sparkle homepage had sufficient info to answer your question even in the vacuum in which you were working.

I'm glad it's all worked out now.

Last edited by artie505; 02/14/16 12:17 PM. Reason: Expand

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38876 02/14/16 10:25 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
There appears to be a lot of misunderstanding if what Sparkle is, what the vulnerability is, and whether or not you have "it" on your Mac or you use "it".
  • Sparkle is a legitimate Open Source framework used by a variety of application developers including some of the big guys
  • If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
  • The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability
  • Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
  • The only way of removing Sparkle from an app that uses it is to delete the app.
  • It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.
  • Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring. mad
  • You can find an authoritative discussion of the Sparkle vulnerability on The Hacker News


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Sparkle Got Ya Down?
joemikeb #38878 02/14/16 11:13 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Nice post..lays it out more clearly than has heretofore been done.

Originally Posted By: joemmikeb
The application developer includes Sparkle as a convenience for the user and almost always that feature can be turned on or off in the application's preferences. Turning the "check for updates" feature off obviates the vulnerability

The down-side to that approach is that it costs you the notification feature, so I'll offer up the idea of leaving Sparkle active but just not using it to update, which I think covers all bases.

Originally Posted By: joemikeb
Some developers overlook the admonition to use an encrypted (HTTPS) channel to report the version information back to the enquiring.

That follows The Hacker News's

Quote:
The first loophole is due to the improper implementation of Sparkle Updater framework by the app developers.

The app developers are using an unencrypted HTTP URL to check for new updates, rather than an SSL encrypted channel.

but it's at odds with alternaut's linked doc which says

Originally Posted By: Tao Effect Blog
Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most).

Any idea about that?

Originally Posted By: The Hacker News
As a result, an attacker in the same network could perform MitM attacks and inject malicious code into the communication between the end user and the server, potentially allowing an attacker to gain full control of your computer. (Emphasis added)

Is that "in the same network" as mitigating a factor as it sounds?

And finally, does DNSCrypt, which protects against MitM attacks, protect against this vulnerability?

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38882 02/15/16 01:10 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Originally Posted By: artie505

but it's at odds with alternaut's linked doc which says

Originally Posted By: Tao Effect Blog
Sparklegate is a fundamental flaw in OS X, not Sparkle. It is a flaw in Finder (foremost) and WebView (second most).

Any idea about that?


Part of the issue is there are actually two potential vulnerabilities, one that's purely in Sparkle and one that capitalizes on a mechanism in OS X.

The purely Sparkle vulnerability is that older Sparkle implementations fetch information about application updates over HTTP, not HTTPS. If you are on WiFi when you do an update, a malicious person on the same WiFi connection can intercept the request for the app update information and modify it, causing Sparkle to download an app from his computer instead of the update for the app you're trying to update.

The second flaw pertains to how the Finder works. The Finder can be set to be the computer's FTP handler. If the FTP handler is set to Finder, then a call to an FTP address will result in the FTP server being mounted as a network hard drive in the Finder. This can result in an attacker being able to download a file onto your computer via FTP from a malicious FTP server.

The former problem is a problem in Sparkle that's fixed by fetching app update requests over HTTPS, not HTTP. The latter is not so much a bug as the way OS X was designed to work, though the design is perhaps poorly thought out.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Sparkle Got Ya Down?
tacit #38883 02/15/16 01:36 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for the clarification, tacit.

That explains the FTP version of the attack mentioned in the Tao Effect Blog which, by the way, doesn't mention the HTTP/HTTPS vulnerability.

It sounds like we've finally got a complete picture of what we're up against (and it now appears that having opened Firefox is not all that it's been cracked up to be).


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sparkle Got Ya Down?
artie505 #38886 02/15/16 08:11 AM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
Originally Posted By: artie505
Nice post..lays it out more clearly than has heretofore been done. ... Thanks.

Indeed it do [sic] ... much appreciated.

Re: Sparkle Got Ya Down?
joemikeb #38896 02/15/16 04:33 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: joemikeb
  • If you download and install third party applications on your Mac that have a "check for updates" feature, you are likely to have some version of Sparkle on your Mac.
  • Applications do not advertise their use of the Sparkle framework any more than they advertise the programming language(s) used to write the application so there is not way of telling whether a given app uses Sparkle framework or not
  • It is only older versions of Sparkle that are vulnerable to exploits. The vulnerability is not present in the more recent versions. Unfortunately you are unlikely to have any information on what versions of Sparkle is used by the app.

For those who do want to know about the underlined parts of the selected points from Joemikeb’s post, regardless of their theoretically small exposure to the Sparkle vulnerability, Sqwarq Software’s DetectX utility added a Sparkle security check for all apps and Pref Panes on the system starting with v 2.13. It will list all such items that use the vulnerable (= HTTP using) versions of the Sparkle.framework. To access this Sparkle search, check the relevant box in DetectX’s preferences before you run the (‘All Searches’) Search. This may take a minute or so, and might be ‘disappointing’ (e.g., my test was negative).


PS, Regardless of search results present in the main window or communicated by popup (’Negative’), all details are listed in DetectX’s log. This can be accessed by selecting ‘Log Drawer’ from the ‘View’ menu, or by clicking the white-on-blue ‘i’ button in the lower left of the results window. The Sparkle results are found toward the end of the log.

Last edited by alternaut; 02/15/16 05:17 PM. Reason: added detail

alternaut moderator

Moderated by  alternaut, cyn 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.049s Queries: 62 (0.031s) Memory: 0.7075 MB (Peak: 0.8743 MB) Data Comp: Zlib Server Time: 2024-03-29 08:15:59 UTC
Valid HTML 5 and Valid CSS