Dan Goodin, writing for Ars Technica:

Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication. A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.

Note that Camtasia is in the official Mac App Store. This isn’t simply a problem confined to apps sold in the wild. I struggle to wrap my head around the specifics, but the articles I’ve read give the sense that this is an issue with using HTTP, that the problem would be solved if HTTPS was required.

As to Sparkle, it sounds like they’ve fixed the problem on their end, but developers need to rebuild, resubmit their apps to get that fix in the App Store. And there doesn’t appear to be an easy way to tell if the apps on your machine are vulnerable. Hopefully, Apple will address this quickly.