Sparkle vulnerability leaves some Mac apps susceptible to attacks

Camtasia, uTorrent, and other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, reports Ars Technica.

Sparkle is open source software available under the permissive MIT license, and is developed on GitHub by the Sparkle Project with the help of dozens of valued contributors. It uses ARC and Auto Layout and supports OS X versions 10.7 through 10.11 and Xcode 5.0 through 7.0.

Ars Technica says the vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. 

People who aren't sure if an app on their Mac is safe should consider avoiding unsecured Wi-Fi networks or using a virtual private network when doing so, notes Ars Technica. Even then, it will still be possible to exploit vulnerable apps, “but the attackers would have to be government spies or rogue telecom employees with access to a phone network or Internet backbone,” the article adds.