A lot of OS X applications use a framework called Sparkle to simplify automatic software updates for end users like you and me. Unfortunately, a recent vulnerability was spotted in Sparkle — one that could leave your system open to hackers.
The issue is that when an app checks for updates, it uses an unencrypted HTTP channel that can be hijacked. The vulnerability affects both OS X Yosemite and OS X El Capitan. Here’s a proof-of-concept in action:
Sparkle has already released a patch for their updater framework, but it’s still up to the individual app developers to update the versions of Sparkle used in their apps. In other words, the vulnerability only exists in apps using old versions of Sparkle.
So what should you do? First, check this list of apps using Sparkle and see if you have any of them installed on your system. If not, you’re clear and have nothing to worry about.
Otherwise, if you’re really paranoid, you should uninstall every Sparkle-based app you have until they release updated versions. The Sparkle security fix was released on February 4, so look for app updates that came out after that day.
If you aren’t so paranoid, then you can keep them installed but make sure you don’t connect to any unsecured Wi-Fi networks or public Wi-Fi networks as that’s how someone would take advantage of the vulnerability.
Do you have any Sparkle-based apps on your system? How often do you connect to unsecured or public Wi-Fi? Tell us about your wireless habits in the comments below!
Image Credit: MacBook by Marco Prati via Shutterstock