What you need to know about the Sparkle vulnerability affecting some OS X apps

A third-party framework, Sparkle, used by many popular Mac apps to deliver automatic updates has made them vulnerable to man-in-the-middle attacks that can be used to install malicious code on your Mac.

The new vulnerability puts a number of users of affected third-party apps at risk of being hijacked when those apps attempt to use the outdated framework to alert users of new app updates.

Who’s affected?

The problem, as noted by a security engineer named Radek on vulnsec.com, doesn’t affect apps that are updated through the Mac App Store, but rather, affects a number of third-party apps downloaded from the internet that are installed manually by the user and are using an outdated version of the Sparkle updater framework to regularly check for updates automatically in the background.

Lately, I was doing research connected with different updating strategies, and I tested a few applications working under Mac OS X. This short weekend research revealed that we have many insecure applications in the wild. As a result, I have found a vulnerability which allows an attacker take control of another computer on the same network (via MITM).
The vulnerability is not in code signing itself. It exists due to the functionality provided by the WebKit view that allows JavaScript execution and the ability to modify unencrypted HTTP traffic (XML response).