“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive
Apps that use 3rd-party updater over insecure HTTP channels subject to MiTM attacks.
Mac users have been proclaiming the superiority of their OS in terms of security (sorry they still have security issues), lack of viruses (yeah they technically can get those as well), and so on… but even the most secure system is as vulnerable as it's weakest link. Rising popularity in OSX (still only about ~10% of desktops) has made it a larger target recently and security researchers have just discovered that apps that use 3rd-party updater Sparkle over insecure HTTP channels are subject to MiTM attacks.
They estimate the number of vulnerable apps as "huge", but state there is no way to know for sure because it's not easy to detect all the conditions necessary for them to be vulnerable. However, there's some big players who've been identified as vulnerable including:
Camtasia 2, DuetDisplay, uTorrent, VLC, and Sketch. VLC has already released an update to patch the issue. If possible… check for updates.
A longer list of apps that rely on Sparkle is on Github (https://github.com/sparkle-project/Sparkle/issues/717), but readers are cautioned that not all of them communicate over insecure HTTP channels or use a vulnerable version of the update framework. So while the chat client Adium uses Sparkle it does so over HTTPS so it's not vulnerable.
Paul Smith-Keitley says
you must be wrong – Apple is very secure 😉
Paul Spoerry says
Tooooootally secure.