[nobullet]

Lots of apps in this list are there because they use Sparkle Framework. It doesn't automatically mean that if an app uses Sparkle it is vulnerable. Each must be checked for insecure HTTP requests. Sparkle is not the reason of the vulnerabilities. Sparkle clearly states: use HTTPS.

[retx]

That's totally true but, WebView allows to execute unsafe handlers like 'file://', 'ftp://'. As a result in the worst case scenario when appcast webserver was compromised then you don't need a private DSA key (which I suppose is well protected on developers computers) to sign new binary, you can just modify XML from appcast to get remote code execution on OSX computers actually checking for an update. In short, from the website security flaw to RCE on thousands of computers, or even more, then you don't need an active MITM attack actually, think about it.

I would consider it as 2 different vulnerabilities.

[pquerna]

Right, the ability for an attacker to change an XML file like this could be considered two separate issues.

Things like this is why The Update Framework (TUF) Specification was created:

https://theupdateframework.github.io/

The specification covers exactly this kind of attack and has signing of all of the data about an update:

https://github.com/theupdateframework/tuf/blob/develop/docs/...

But, as far as I know, there isn't an implementation of TUF that works with ObjectiveC and all the other parts of Sparkle, to actually update an OSX application.