how to: check for Sparkle vulnerability

Screen Shot 2016-02-12 at 15.32.18

[updated Mon 15th:]

Here’s what we know about the widely-reported vulnerability found in Sparkle so far:

1. It requires a version of Sparkle earlier than 1.13
2.1 It requires the SUFeedURL address to be an unencrypted http address AND/OR
2.2 the release notes address to be an unencrypted http address.

Condition 1 and one (or more) of conditions 2 need to be true to make the exploit possible. You can check to see if condition 2.1 is true for many apps on your system with the following procedure:

1. Control-click on the app in the Finder
2. Choose ‘Show Package Contents’
3. Navigate to /Contents/Info.plist
4. Hit the space bar to open in quick look, scroll down for the SUFeedURL field (it won’t have one if it doesn’t use Sparkle). The field will show you whether the address is https or not.

To make life easier, you can run this script in the AppleScript Editor (/Applications/Utilites/Script to do the job for you.

#script version 1.64
#regression to 1.52 and then
#added: now includes apps that do not have SUFeedURL key in plist and reports their Sparkle version number
#added: borrowed Bill Cheeseman's idea of using choose list and offering to launch the app
#added: borrowed reverse_offset handler from Nigel Garvey's post on MacScripter
#changed: test if Sparkle is < 1.13.1 first
#shows the Sparkle version number for each entry in the list
#added logic for opening prefPanes if chosen from the list
#changed the mdfind command to improve speed
#searches for keys of the form "SUFeedURL*" rather than just "SUFeedURL"

on extractSUFeedURL(aRecord)

set aRec to "httpx"
set aRec to item 1 of aRecord
on error errorMessage
set aRec to errorMessage
set aRec to my parseErrorMsg(aRec)
end try

return aRec

end extractSUFeedURL

on parseErrorMsg(aErr)

set what to "SUFeedURL" --define the full or partial record name you're trying to find
if aErr contains what then
set theStart to offset of what in aErr
set thisString to text theStart thru -1 of aErr
set theEnd to offset of "," in thisString
set subString to text 1 thru theEnd of thisString
--log subString --see the record name and its value in Script Editor's Messages pane
return subString
end if
end parseErrorMsg

on reverse_offset(d, t)
set astid to AppleScript's text item delimiters
set AppleScript's text item delimiters to d
set ro to (count t) - (count text item -1 of t)
set AppleScript's text item delimiters to astid
return ro
end reverse_offset

set foundCounter to 0
set infoFilePath to "/Contents/info.plist"

set theApps to do shell script "mdfind \"kMDItemFSName == '*.prefPane'cd || kMDItemFSName == '*.app'cd'\""
set theApps to paragraphs of theApps
set sparkleAppsList to {}

tell application "System Events"
repeat with anApp in theApps
set anApp to anApp as text
set aFrameWork to anApp & "/Contents/Frameworks/Sparkle.framework"

if exists disk item aFrameWork then
--get Sparkle Version first
set aSparklePlist to aFrameWork & "/Versions/A/Resources/Info.plist"
set thePlist to contents of property list file aSparklePlist
set theValue to value of thePlist
set sparkleVersion to CFBundleShortVersionString of theValue as text
on error
set sparkleVersion to CFBundleVersion of theValue as text
end try
end try
-- compare version num
considering numeric strings
set vulnerable to sparkleVersion < "1.13.1"
end considering
if vulnerable then
--get SUFeedURL if it exists
set thePlist to contents of property list file (anApp & infoFilePath)
set theValue to value of thePlist

set thisSUFeedURL to my extractSUFeedURL(theValue)
if length of thisSUFeedURL = 0 then

set thisSUFeedURL to "httpx"
end if
on error
set thisSUFeedURL to "httpx"
end try

if thisSUFeedURL contains "http:" then
set end of sparkleAppsList to anApp & " : uses insecure update URL (not https) " & "with Sparkle v" & sparkleVersion
set foundCounter to foundCounter + 1
else if thisSUFeedURL contains "httpx" then

set end of sparkleAppsList to anApp & " : update URL unknown (http/https??); uses Sparkle v" & sparkleVersion & linefeed & linefeed
set foundCounter to foundCounter + 1

end if

end if
end if
end repeat
end tell

set thePrompt to "Found " & foundCounter & " items that may be using a vulnerable form of the Sparkle framework: " & linefeed & linefeed

choose from list sparkleAppsList with title "Sparkle Vulnerability Check" with prompt thePrompt OK button name "Launch"

if result is not false then
set appPath to item 1 of result
get offset of " :" in appPath
set appPath to text 1 thru (result - 1) of appPath
set ro to reverse_offset("/", appPath)
set appPath to text (ro + 1) thru -1 of appPath
if appPath contains "prefPane" then
set paneOffset to offset of "." in appPath
set paneName to text 1 thru (paneOffset - 1) of appPath
log paneName
tell application "System Preferences"
reveal (first pane whose name is paneName)
end try
end tell
tell me to launch application appPath
end if
end if


However, be aware that this script will not find certain plug-ins (e.g., Mail plug-ins that use Sparkle).

If the app runs on 10.6, it’s not possible for Sparkle to be updated to the latest secure version, 1.13.1, so you need to check with the developers that they’re using https addresses for both the appcast feed and the release notes html.

Rest assured that Sqwarq apps that use Sparkle (App Fixer, DetectX, FastTasks 2, and OSXClock) all use encrypted https update feeds and release notes addresses, so as far as we’re aware at the moment, none of our apps are vulnerable to the exploit regardless of what version of Sparkle they’re using.

As said above, we’ll update this post if things change as the story unfolds.

Credits: Thanks to Yvan for significantly improving my earlier drafts of the AppleScript and writing the code for retrieving the Sparkle bundle number. Thanks to Chris Stone for tweaking and eeking a bit more speed out of the mdfind command. Thanks to Al for pointing out that in earlier versions of the script the Display Dialog message could get truncated.

About philastokes

Freelance Writer, Developer and Technical Communicator. Explaining the unexplainable with images, video and text. Scripting anything imaginable in Applescript, Bash, C, Objective C, Cocoa, Python and Xcode.

Posted on February 10, 2016, in Security and tagged , , . Bookmark the permalink. 6 Comments.

  1. Thanks for the great post!

    By the way can I (humbly) suggest you to give a read to: ? It would greatly enhance the legibility of your posts (also a larget content area theme would help).

    Keep up the great work!

    • Thanks.

      Alas, doesn’t support AppleScript syntax.

      A while ago I started writing a script to automatically mark up applescript with html tags that would add the syntax highlighting, but I’ve been too busy to finish it.

      I’ll get round to it one day though…

      • Ah, OK…so I actually read past the supported languages and saw we could get some other features (I’m a big fan of line numbers!). Thanks for the tip!🙂

        Edit: Hmm, actually those shortcodes don’t seem very stable. Had to give up on them unfortunately. Nice idea while it lasted though!

  2. I ran across about a half dozen apps that use Sparkle but do not list an SUFeedURL, so they must use some other means which may or may not be secure. Examples are Data Rescue 4, DriveDx and MacPilot. Any idea how to check those?

    • Off the top of my head, I’ve no idea how you could implement Sparkle without an SUFeedURL, but I’ll look into it and post back.

      In the meantime, if you have Little Snitch installed, I suppose you could click ‘Check for Updates’ in one of those apps and catch the URL in Little Snitch’s activity monitor.

      • OK, in the case of DriveDx (I’m going to assume it’s the same for the others), they’ve put the appcast URL and the release notes URL in the MacOS binary


        You can check that if you have Xcode Command Line Tools installed by doing

        strings /path/to/binary | grep -i appcast

        In the case of DriveDx (may not be true for the others) neither the appcast URL nor the release notes URL are secure, so you definitely want to encourage them to sort that out.

        Again, in the case of DriveDx or any other app that runs on Snow Leopard, they won’t be able to update Sparkle to 1.13.1 because recent versions of Sparkle require 10.7 or higher. In DriveDx’s case, the only way they can make it secure is to change BOTH the appcast url AND the release notes url to https encrypted URLs.

%d bloggers like this: