For all those who do not know Sparkle, just clarify what it is a framework used by some third-party applications in the updaters to update to new versions periodically. However, it has been discovered that older versions of this framework can be potentially unsafe due to a recently discovered vulnerability.
On Tuesday of this week the security problem that affects some applications downloaded from the Internet came to light, fortunately this nor it happens with those downloaded from the Mac App Store for obvious reasons, since the latter are updated through the store itself using its secure network. The root of the problem seems to lie in the lack of an encrypted and secure connection when updating, which may leave room for a man-in-th-middle attack.
The question now is which applications are affected? Although we cannot know a priori which applications use this framework, in GiHub a list has been created with applications that users are building that are developed including this insecure version of the updater and that may be prone to seizures, which at least gives us a general point of view on whether our team may be affected.
Still do not be alarmist since many of these applications areThey only use Sparkle as a framework for their updates but it does not mean that all of them are affected by the vulnerability, only those that use an outdated version because they search through an HTTP channel instead of HTTPS.
The easiest way to protect yourself from this vulnerability is that if we are told that there is a new update, do not proceed to download it directly from the updater, but we can go directly to the developer's website and download it manually ourselves, with which we can save ourselves annoying until we know for sure that the application is not affected.
The link gives an error when trying to consult the list of affected apps in GiHub 404 page not found
The link to see the list of affected applications does not work
Corrected the link. Thanks for the warning.