When you download any application from the Mac App Store, you have the peace of mind that it has been verified by Apple and use its own servers and authentication system to perform the initial installation and future updates. Outside the store, many apps use a practical update system called Sparkle.
Because the blog Vulnerable Security recently highlighted a serious security flaw in Sparkle that hits numerous Mac apps, including well-known names like Adium, Camtasia, Coda, Duet Display, Sequel Pro (shown in the video below), Sketch and VLC.
As the screenshot shows, the loophole allows MITM attacks (man-in-the-middle) at framework of Sparkle updates. With this, crackers can execute malicious codes remotely at the moment the user searches for updates to one of these apps on both OS X Yosemite and El Capitan, by the way.
The good news is that not all apps that use Sparkle are susceptible to vulnerability, only those that look for updates via HTTP (and not via HTTPS, with an encrypted connection). In addition, with the discovery of the breach, several developers have already rushed to make new corrected versions available. In this case, it is recommended to download them directly from the official websites of the applications in order not to take any risks.
Remembering that there is nothing to worry about if you only download updates directly from Apple, via the Mac App Store.
(via Ars Technica)