‘Huge’ number of Mac apps vulnerable to hijacking, and a fix is elusive

Mac Daily News ^ | February 9, 2016

[Swordmaker]

“Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates,” Dan Goodin reports for Ars Technica. “The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution.”

“As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication,” Goodin reports. “A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.”

“The challenge many app developers have in plugging the security hole, combined with the difficulty end users have in knowing which apps are vulnerable, makes this a vexing problem to solve. People who aren’t sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so,” Goodin reports. “Even then, it will still be possible to exploit vulnerable apps, but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone.”

Read more in the full article here.

MacDailyNews Take: Yes, use a VPN when using public Wi-Fi networks (see related articles below). Or tether to your iPhone if at all possible.

[Swordmaker]

Don't download files over an unsecured WIFI connection. More importantly, don't use any App you are not sure of to download anything!

[Swordmaker]

Any App that uses "Sparkle" frameworks on Apple OS X El Capitan or OS X Yosemite to download is vulnerable to a man-in-the-middle attack on an insecure WIFI network connection and could conceivably insert a malicious app into the returning download! Don't use any OS X App such as Camtasia or U-Torrent over an unsecured WIFI such as at a Starbucks or Airport for downloads. . . for that matter, don't use an unsecured WIFI to do ANYTHING, DUH! -- PING!

Apple OS X Security
Ping!

The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.

If you want on or off the Mac Ping List, Freepmail me

[Swordmaker]

Apps that use the vulnerable version of Sparkle to update themselves are also vulnerable to exploitation by this problem if they use do not HTTPS: and only use HTTP: to do their updating. The later versions of Sparkle are OK. The problem is that your apps may be using the older, vulnerable version of sparkle. Therefor, DO NOT UPDATE any Apps any apps over an insecure WIFI.

Your home or work WIFI, if you are using a sufficiently complex password to connect to it, is most likely OK.

[apocalypto]

for later

[dragonblustar]

Ping

[Pontiac]

It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution.”

Another vulnerability thanks to Java.

It is just this sort of security hole that is why I have yet to install Java on my iPad.

[roadcat]

People who aren't sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so," Goodin reports.

The problem is, that many people who aren't sure of computing are the very same people who use unsecured Wi-Fi. I'm highly suspicious of using unsecured Wi-Fi, and diligent in protecting myself whenever using it. An analogy would be using a condom for sex with strangers (which would never apply to me as I'm happily married!). I'll use my iPad, but rarely my Mac outside on an unsecured Wi-Fi network - the iPad is far safer and easier to recover from potential hijacking. Not that Macs aren't safe, just reducing my exposure to near zero on attacks.

[miserare]

Bookmarking for further research...

[dayglored]

> Another vulnerability thanks to Java.

Actually JavaScript and Java are completely unrelated. The name JavaScript was “borrowed” from Java but they have nothing to do with each other.

That’s not to excuse the language Java, of course. Just the names. :-)

[AFreeBird]

You have JavaScript on your iPad. It runs in the browser. JavaScript is not Java.

[Pontiac]

Thanks for the enlightenment.

[callisto]

And, once again, you’ve supplied the answer to why one should use their iPhone’s personal hotspot. Thanks for the ping!

[Albion Wilde]

bump

[The Westerner]

So a personal hotspot (which I don’t know how to set up) is safer than using the wi-fi while at the beauty salon which may not be secure? I’m confused about how to stay safe in normal life using portable devices.

[Albion Wilde]

Sunday bump

[Swordmaker]

If you have an iPhone or a iPad with Cellular, it’s the easiest thing to do. Go into settings, select the fifth item, which is “Personal Hotspot” and tap on it. Turn it on, if it isn’t already. Turn on your Mac and then click on the WIFI pie icon on the menu bar. Look for the name of your iPhone or iPad. Enter the passcode that is listed on your Personal Hotspot (you can select your own on the Personal Hotspot page, but don’t make it too simple). The Mac will then connect. Done.

Your iPhone/iPad does not have to be active to continue your session, but it will have to be active to initiate a connection and may have to be on the Hot spot page. This is not always necessary, but only if you are having trouble connecting.

[The Westerner]

Thank you so much for taking the time to write clear instructions. I used to do Systems Pgm on the 370s’s. But when I quit to switch careers, I didn't want to program ever again. At this point where we carry a complex computer in our pockets it's a necessity to think like a programmer conceptually or have assistance from others. Rather depressing that technology is evolving so quickly that an ipad1 or a mini that isn't updated regularly becomes obsolete within 6 years (the best ipad #1 frozen at 5.1! And Quicken no longer functions on my wonderful XP, so I'm stuck wondering whether to upgrade the 2003 PC to at least Windows 7 or take it offline and convert my Quicken data to MacBook Pro (Mountain Lion). See how time stops for no man? Thanks again, Sword!