Recently, there have been a number of reports published regarding the vulnerability of a popular Mac OS X update framework called Sparkle. The type of security problem associated with the recently-discovered vulnerability is a man-in-the-middle attack; an attack that occurs when an attacker impersonates one side of a communication session.
The recently discovered vulnerability in Sparkle has caused concern with some OS X users about applications that use the Sparkle framework, such as VyprVPN. We want to ensure our users that VyprVPN is not affected by the Sparkle man-in-the-middle attack vulnerability. We’ve provided additional information below.
What is Sparkle and the reported vulnerability?
Sparkle is a commonly-used OS X framework used by apps not downloaded from the App Store for automatic app updates. The recently-discovered Sparkle vulnerability is a man-in-the-middle type attack over unsecure HTTP communication. Since the HTTP channel for updates through Sparkle is unencrypted, this means the channel could be hijacked by an impersonator to deliver malicious code to users.
What keeps VyprVPN OS X users safe from the vulnerability?
VyprVPN utilizes the Sparkle framework for automatic updates, but is unaffected by the vulnerabilities for the primary reason that VyprVPN only utilizes SSL-secure HTTPS channels for updates through Sparkle. This secure communication layer is not able to be hijacked or impersonated in the same manner as unencrypted HTTP traffic.
Why users of MacOS X 10.11 are secure
Users of MacOS X version 10.11 should also know that Apple has introduced a feature called App Transport Security. This feature disallows connections over unsecure HTTP using the NSURLConnection API unless the developer has specifically declared the domain in the application info.plist. Developers are strongly encouraged to use only HTTPS to access web resources.
Since most uses of HTTP are due to legacy code, Mac users on 10.11 and up are generally protected from an unsecure Sparkle update in the sense that the retrieval of resources over HTTP will generally fail.
Best practices to protect yourself
The best way to protect yourself from this vulnerability and many others is to use the latest production version of MacOS X and the latest production version of your applications. Security vulnerabilities are found and fixed by Apple and other software developers regularly. By using the latest versions of your software, you can avoid security holes that bad guys already know about.
If you have any questions or concerns, please feel free to reach out to us at firstname.lastname@example.org!