Applications using Sparkle #717

Open
pornel opened this Issue Jan 20, 2016 · 150 comments

Projects

None yet
@pornel
Member
pornel commented Jan 20, 2016

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

  • Acorn
  • Adium
  • Bittorrent Sync
  • Carbon Copy Cloner
  • Cinch
  • Colloquy
  • Evernote
  • Fantastical
  • Fitbit Connect
  • Flux
  • Handbrake
  • iTerm
  • Karabiner
  • Sequel Pro
  • Sidestep
  • Slack
  • Transmission
  • Twitterrific
  • Vienna
  • Vivaldi
  • VLC
  • WebKit Nightly
  • Wine
@jakepetroules
Member
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC
@w0lfschild

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

@nlap
nlap commented Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

@mikemcc
mikemcc commented Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

@mmlac-bv

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

@DomT4
DomT4 commented Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim
@Miguel-Alonso

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

@tergen
tergen commented Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

@xhacker
Contributor
xhacker commented Jan 29, 2016
  • Inboard
  • Arq
  • Texpad
  • Pomotodo
@jkbullard

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

@zorgiepoo
Member

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

@Xaositek
  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC
@vitu
Contributor
vitu commented Jan 30, 2016

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer
@nootrope

Not mentioned as of this writing:

@pejacoby

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

@davedittrich

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

@sindarina

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

@inismor
inismor commented Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

@laurentnguyen42
  • AppDelete
  • duet
  • Flux
  • KeepingYouAwake
  • RightFont
  • SizeUp
  • Sketch
  • uTorrent
  • VLC
@rasterbate

aText
Daylite
Data Rescue 4
Shiori
Trickster
Wine Bottler

@seltzered

Shortcat by @chendo
Jumpcut
Reveal
Switch
Time Sink
Radiant Player
Mixtape
Prizmo
nvALT
OpenSCAD
JewelryBox
Kaleidoscope
Drive Genius 4
Camtasia 2
DragonDrop
Turbotax (2012-2014)
VideoSpec

@craigburdett

Bento 3
Billings
Camtasia 2
Coda 2
ColorMunki Smile
DaisyDisk
Data Rescue 3
Flux
FontAgent Pro 6
Geekbench 3
HandBrake
iExplorer
ImageOptim
Miro
Monolingual
PowerPhotos
Scrivener
StuffIt Expander
Timing
VLS
Wondershare Data Recovery

@dxdc
dxdc commented Feb 9, 2016

MSG Viewer for Outlook (http://msgviewerforoutlook.com)

@helicine
helicine commented Feb 9, 2016

Air Video Server HD
Unison
xACT
Audio Hijack
Escort Detector Tools
Lingon X

@jeremybrooks

Adium
Disco
Fission
OpenEmu
SourceTree
XLD

@akac
akac commented Feb 9, 2016

Informant Calendar/Tasks (http://fanaticsoftware.com)

@pavarnos
pavarnos commented Feb 9, 2016

Things
Versions
VSee

@lapfelix

Here's my list of apps using HTTP (using @haikusw's command):
Adze Lite
Antidote 8
AppCleaner
Bartender
Beamer
Carbon Copy Cloner 2
Chocolat
CleanMyMac 2
CloudyTabs
CrossOver
Dash
Deploymate
Disk Drill
duet
Geekbench
gfxCardStatus
HoudahGeo 2
HoudahGeo
InsomniaX
iTeleport Connect
Live Interior 3D Pro
Mactracker
Malwarebytes Anti-Malware
Money
MoveToAppleMusic
Paintbrush
Plug
Quinn
Rdio
Reflector
Sequel Pro
Shapes
Sharepod
Snagit
Soulver
SourceTree
Sublime Text
TG Pro
Transmission
Transmit
Utilities/XQuartz
uTorrent
VLC Setup
Carbon Copy Cloner
Festify
Hopper Disassembler v3
Kext Wizard
Last.fm
LiteIcon
QuickRadar
Sketch Toolbox
BetterTouchTool
CocosBuilder
iVPN
Trailer
xScope

And here's my complete list of apps (for the original purposes of this thread):
Air Video Server HD
AirServer
Antidote 8
AppCleaner
Archiver
Bartender
Beamer
BetterTouchTool
Capo
Chatology
Chocolat
CleanMyMac 2
CloudyTabs
CocoaPods
CocosBuilder
Coda 2
CodeKit
CodeRunner
Crashlytics
CrossOver
Dash
Dashlane
Deploymate
Disk Drill
DiskAid
DropletManager
Dropzone-2
duet
Festify
Flux
Geekbench 3
gfxCardStatus
GitUp
Goofy
goofy-master
HandBrake
Harvest
HipChat
Hirundo
Hopper Disassembler v3
HoudahGeo
InsomniaX
iTeleport Connect
iTerm
iVPN
JollysFastVNC
Kaleidoscope
Kext Wizard
Knock
Last.fm
LiteIcon
Live Interior 3D Pro
maciej's Playlist Importer
Mactracker
Mailbox
Malwarebytes Anti-Malware
Money
MouseRecorder
MoveToAppleMusic
MPlayerX
Notifyr
OpenEmu
Paintbrush
PaintCode
Paw
Plug
QuickRadar
Quinn
Rdio
Reeder
Reflector
RescueTime
Reveal
Sequel Pro
Shapes
Sharepod
Sketch
Sketch Toolbox
Snagit
Soulver
SourceTree
Splashtop
TeamViewer
TG Pro
Tower
Trailer
Transmission
Transmit
TripMode
XQuartz
uTorrent
Versions
VLC
Waltr
Winclone
xScope

@ryanb1281

Two others, not already mentioned:
Beats Updater
YNAB 4

@sunjunkie

TechTool
FileThis Fetch
Devonagent

@ewm2000
ewm2000 commented Feb 10, 2016

My List

duet.app
PopClip.app
SourceTree.app
Sublime Text 2.app
TeamViewer.app
iStumbler.app

@ariporad

Bartender 2
BitTorrent
Colloquy
Dash
Drive
Fabric
Fake
Fluid
Fluid
Flux
Gitter
GitUp
iTerm
Karabiner
Knock
Malwarebytes Anti-Malware
MAMP
OpenSCAD
Repetier-Host Mac
Seil
SelfControl
Utilities
VLC

@buildabar

Hey guys, apparently a better way to check is by running this
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Majority of apps I have use https to do Sparkle updates
Look for the apps using http and not https
So far I only have 2
icons8
utorrent

@jbarnaby

This is a list for apps that use Sparkle, no...? "Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago. Let's update it! Please add yours." Rather than a list of affected apps...?

@buildabar

@jbarnaby Oh man you're so right, I just followed the Arstechnica link.

@LasseRafn

Ouch.. theres A LOT. Even when I used the method that @buildabar suggested (http only)

HTTP only

Bittorrent
HockeyApp
Dropzone3
Fake
Flexiglass
Fluid
FramerJS
Miro Video Converter
MongoHub
Screenflow
SourceTree
Sublime Text 3
Throng
UnrarX
VLC
Vagrant Manager


All my apps running Sparkle

BitTorrent
CopyClip
DropShare
DropZone 3
Fake
FlexiGlass
Fluid
Framer Studio
Goofy
Sequel Pro
Miro Video Converter
MongoHub
Paparazzi!
Poedit
ScreenFlow
Sequel Pro
Sketch
SourceTree
TeamViewer
Throng
Tansmit
Trello
Tunnelblick
UnRarX
XQuartz
Vagrant Manager
VLC
Zeplin

@ShadowPeo

HTTP only
BitTorrent Sync
Book Collector (Collectorz.com)
Duet (Duet Display)
Movie Collector (Collectorz.com)
Sublime Text 2
TripMode
uTorrent

@eldade
eldade commented Feb 10, 2016

DaisyDisk (though this one's on the App Store)
MyHarmony
SequelPro
Unarchiver
VLC
uTorrent

@fcw
fcw commented Feb 10, 2016

Here's a tweak on @buildabar's command that directly lists the names of the apps that don't use https on their SUFeedURLs:

for a in $(ls /Applications); do defaults read "/Applications/$a/Contents/Info.plist" SUFeedURL 2>/dev/null | grep -v https >/dev/null && echo $a; done

Just VLC for me

@zorgiepoo
Member

Please note that discussing which apps are using http or https is off-topic to this thread.

@buildabar

hey @fcw doesn't quite work. When I run without I have more http apps

@Asomatous

Accordance 11
Alarm Clock Pro 2
Alarm Clock Pro
AppCleaner
Art Text 2
Audio Hijack Pro
BoinxTV
ClamXav
Comic Life 2
Comic Life 3
Comic Life Magiq
Comic Life
Contour
Corel Painter Sketch Pad
CoverScout 3
DesktopShelves
DiskMaker X 4b4
DiskMaker X 5
Downie (978)
Downie
Drive Genius 3
Ember
Focus 2
Focus
Font Finagler
ForkLift
FotoMagico 3.6
FotoMagico 3.8.8
FotoMagico
Get Backup 2.
GraphicConverter 7
GraphicConverter 8
GraphicConverter 9
HandBrake
iExplorer
iPhone Explorer
iSale 5
iShowU HD
Lumio
MacJournal
MindNode Pro
Nicecast
NoteBook
Pacifist
PDFpen
Phone To Mac
PhotoPresenter
Picturesque
Scapple
ScreenFlow
Scrivener
SMART Utility 2.1.2
Snapheal PRO
Snapheal
SongGenie 2
SongGenie
StoryMill
Swift Publisher 3
Toast Titanium
Tonality Pro
XQuartz
VLC
Winclone

@WBendrot

AirServer
Ambify
Audio Hijack
BitTorrent
Blue Jeans Scheduler for Mac
Cisco Jabber
Coda 2
Conductr Server
DEVONthink
Fluid
Fluid
Geekbench 3
HandBrake
HipChat
iTerm-2
Lookback
Myo Connect
NetSpot
Opacity
OpenEmu
OSCulator ƒ
PhoneExpander
ScreenFlow
Sequel Pro
Silverback
Sketch
SoundSoap
SourceTree
SousChef
Spark
Splice
TechTool Pro 8
Toast 14 Titanium
Transmit
VLC
WhatSize
WireTap Studio

@arjones67

gfxCardStatus
Go2Shell
GPG Keychain
HandBrake
NetSpot
Reflector
Sequel Pro
SnelNL
XQuartz
VLC
WiTopia

@JMY1000
JMY1000 commented Feb 10, 2016

Using HTTP:

BetterTouchTool
Focus 2
Jungle Disk
Mactracker
MiniPlayer
QuickSync
VideoPier
Wine

Using HTTPS:

DaisyDisk
DreamShot
Gridmount
Jungledisk
Slack

@pkclsoft

Astropad
GlyphDesigner
iAlertU - I maintain this one myself, so I'll see what I can do about updating it.

@madbeagle

MacDropAny
EVE (hotkeyEVE)
GasMask
Max (sbooth)

@ghost
ghost commented Feb 10, 2016

/applications/Adium.app/Contents/Frameworks/Sparkle.framework
/applications/cDock.app/Contents/Resources/updates/wUpdater.app/Contents/Resource/cocoaDialog.app/Contents/Frameworks/Sparkle.framework
/applications/ExpressVPN.app/Contents/Frameworks/Sparkle.framework
/applications/GPG Keychain.app/Contents/Frameworks/Sparkle.framework
/applications/TeamViewer.app/Contents/Frameworks/Sparkle.framework
/applications/uTorrent.app/Contents/Frameworks/Sparkle.framework
/applications/Vienna.app/Contents/Frameworks/Sparkle.framework
/applications/VLC.app/Contents/Frameworks/Sparkle.framework

@advantgroup

Where's @haikusw's command? This is all, not HTTP only:

/Applications/AppZapper.app/Contents/Frameworks/Sparkle.framework
/Applications/DaisyDisk.app/Contents/Frameworks/Sparkle.framework
/Applications/Debookee.app/Contents/Frameworks/Sparkle.framework
/Applications/ExpressVPN.app/Contents/Frameworks/Sparkle.framework
/Applications/OpenEmu.app/Contents/Frameworks/Sparkle.framework
/Applications/Reveal.app/Contents/Frameworks/Sparkle.framework
/Applications/Transmission.app/Contents/Frameworks/Sparkle.framework
/Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
/Applications/VLC.app/Contents/Frameworks/Sparkle.framework
/Applications/xACT.app/Contents/Frameworks/Sparkle.framework

@mightyleader

Chocolat
DiskMaker X 5
Fabric
Geekbench 3
ImageOptim
Loopback
MacDown
MacID
Magic Spell
OpenEmu
Piezo
QuickRadar
Screenhero
Sequel Pro
Sketch
Tower
Utilities
XLD
xScope

@noivad
noivad commented Feb 10, 2016

Sparkle Apps Not Previously Listed (all using HTTPS)

Air Display Host
Airfoil
Borderlands
Bowtie
CDpedia
Default Folder X
Hobo
Itsycal
M3Unify
PlistEdit Pro
PowerTunes
RipIt
Senuti
Simple Comic
Tagalicious
Triumph
TwistedWave
Vitamin-R
X-LosslessDecoder
Yate

HTTP Update mechanism (previously listed):

Scrivener

Subfolder Search Note

since the prior command only work for Apps not in a subfolder of Applications here are 2 that work for apps in a subfolder:

  • Includes the subfolder(s):
    find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/.*,\1,'
  • Removes subfolder(s):
    find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'
@xIO3Y
xIO3Y commented Feb 10, 2016
  • Bartender 2
  • BlueHarvest
  • DaisyDisk
  • Flux
  • MacID
  • Sketch
  • Spectacle
  • Transmission
  • UnRarX
  • Utilities/NoSleep
  • VLC
@LabLayers

Here's mine:

  • BetterTouchTool
  • coconutbattery
  • CyberDuck
  • Flux
  • HipChat
  • HyperSwitch
  • IconJar
  • ImageOptim
  • iTerm
  • Keka
  • LiteIcon
  • Macaw
  • Monolingual
  • Radiant Player
  • Rdio
  • SelfControl
  • Shady
  • SimpleComic
  • Sketch
  • SourceTree
  • Stand
  • Tunnelblick
  • uBar
  • Unicorn
  • VLC
  • XQuartz
@Bernd-HAL

Audio Editor
coconutBattery
Commander One
Cyberduck
Isolator
DEVONthink Pro
Digital Sentry
Fantastical
Flux
Frizzix
iBackup Viewer
JBidwatcher
JollysFastVNC
Keka
nvALT
QuickSync
Spectacle
TaskPaper
TeamViewer
Tedium
Transmit
Tunnelblick
TypeIt4Me
Baseline
Cocktail
fseventer
Lingon X 2.3.2
AppCleaner
backupList+
BatChmod
Carbon Copy Cloner 3.4.7
iDMG
DaisyDisk
dupeGuru
Utilities/Gas Mask
VLC

@yesh
yesh commented Feb 10, 2016
  • A Better Finder Rename 9
  • AppCleaner
  • Flux
  • Harvest
  • iTerm
  • MindNode Pro
  • Sequel Pro
  • Sketch
  • TogglDesktop
  • uTorrent
  • VLC
@elvisimprsntr

ClamXav
ClamXav
MyHarmony
StuffIt Expander
TeamViewer
TurboTax Premier 2015
Utilities
uTorrent
VLC

@prestevez

One I didn't find in those previously posted:

  • Sente 6
@stq66
stq66 commented Feb 10, 2016

The ones I didn't find in previous posts:

CopyPaste Pro
GrandTotal
Instashare
Logiblock IDE
QuickRes
SubEthaEdit
Subler

@braynshock

AudialHub
Awaken
CSSEdit
PhotoSync
Pixelmator
VectorDesigner
VisualHub
WriteRoom
iToner

@ratze90
ratze90 commented Feb 10, 2016

I have to add the following apps (didn't find in previous posts):

  • owncloud
  • audio splitter
@xFraz
xFraz commented Feb 10, 2016

/Applications/CleanMyMac 2.app/Contents/Frameworks/Sparkle.framework
/Applications/DaisyDisk.app/Contents/Frameworks/Sparkle.framework
/Applications/Debookee.app/Contents/Frameworks/Sparkle.framework
/Applications/Game Capture HD.app/Contents/Frameworks/Sparkle.framework
/Applications/Gyazo.app/Contents/Frameworks/Sparkle.framework
/Applications/iFunBox.app/Contents/Frameworks/Sparkle.framework
/Applications/OBS.app/Contents/Frameworks/Sparkle.framework
/Applications/Reflector 2.app/Contents/Frameworks/Sparkle.framework
/Applications/TeamViewer.app/Contents/Frameworks/Sparkle.framework
/Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
/Applications/uTorrent.app/Contents/Frameworks/Sparkle.framework
/Applications/VLC.app/Contents/Frameworks/Sparkle.framework

@vallieres

Airy.app
Antidote 9.app
Bartender 2.app
CommandQ.app
Facebook Messenger.app
Fluid.app
Fluid.app/Contents/Resources/FluidApp.app
Google Hangout.app
HipChat.app
ImageOptim.app
Impression.app
inSSIDer.app
LightPaper.app
Loopback.app
Piezo.app
Sequel Pro.app
Sketch.app
SourceTree.app
TinyGrab.app
Wine.app
WineBottler.app

@anlinde
anlinde commented Feb 10, 2016

@LasseRafn : HockeyApp for Mac only uses Sparkle with HTTPS, not sure why you added it to your list.

@ogermer
ogermer commented Feb 10, 2016

Some more apps:

  • Airfoil Speakers
  • Airfoil
  • Beats Updater
  • Boxcryptor
  • Cyberduck
  • Evernote
  • GPG Keychain
  • HandBrake
  • IPSecuritas
  • iTaskX
  • iTerm
  • iTerm2
  • KisMAC
  • Sequel Pro
  • SourceTree
  • StuffIt Expander
  • TeamViewer
  • Utilities
  • VLC
@vallieres

Wrote a more precise command that output the app and the Sparkle BundleVersion from the plist.

find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/Resources/Info.*,\1,'|while read fname; do
  appname=$(echo $fname | sed -e 's/\/Contents\/Frameworks\/Sparkle\.framework//g' | sed -e 's/\/Applications\///g')
  version="$(defaults read "$fname/Resources/Info" CFBundleShortVersionString)"
  echo "$appname => $version"
done

More details here:
https://hipsterpixel.co/2016/02/10/are-you-affected-by-the-sparkle-vulnerability-here-s-how-to-find-out/

Very surprised many use a 2008-2009 version of Sparkle...

@jakepetroules
Member

@LasseRafn : HockeyApp for Mac only uses Sparkle with HTTPS, not sure why you added it to your list.

I'd just like to remind everyone that this thread is for listing all applications using Sparkle. It is NOT for listing only applications affected by the recent security vulnerability.

@wwinter86

My list:

Adapter
Airy
Aurora HDR Pro
Coda 2
ColorStrokes
Convrt
Cyberduck
DiskMaker X
Elmedia Player
Folx
Gas Mask
GIF for Mac
GOG Downloader
GPG Keychain
Handbreak
Hear
ImageAlpha
ImageOptim
IP Broadcaster
iStumbler
Kaleidoscope
LiteIcon
MacOptimizer
MacPilot
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
Monolingual
Montage
MPlayerX
NetSpeedy
Noiseless Pro
Reflect Studio
Scrivener
SecureMailtoGenerator
Smaller
Snapheal Pro
Sound Forge Pro
Sound Siphon
Spectacle
Transmission
VLC
Wondershare Video Converter Ultimate
Wondershare Video Editor

@onetruth

Electric Sheep
Outline

@nflint
nflint commented Feb 10, 2016

Coda 2
Evernote
iTerm
Jumpcut
MAMP
MongoHub
Sequel Pro
TeamViewer
Tower
Transmit

@thotha
thotha commented Feb 10, 2016

@vallieres
Thank you for your extended terminal commands...
In my case, NON of my installed apps use any version newer then 1.12, despite that some of them just have been updated today or within the last 24h...
The versions go even back down to 1.5 beta or even 1.1 "No Version in Information Window" (Freeway Pro).
How can I as a user find out, if this is dangerous for the use of the apps onward?

@vallieres

@thotha you would need to setup a proxy and monitor outgoing connection and see if any of those seem to go to your app's servers but then again that is not a simple task. Your best bet is to contact them.

Apart from being information, why are you Sparkle guys gathering all the apps using your framework?

@rlhamil
rlhamil commented Feb 10, 2016

Using locate(1) (once its database is built) to find Sparkle.framework
in more places than just /Applications:

in /Applications (or apps in a user directory):

Adium
Air Display Host
Alarm Clock Pro
Audirvana Plus
Bartender
Bartender 2
BetterTouchTool
BibDesk
BitTorrent
Bricksmith
Camtasia 2
Chicken
ControlPlane
Cyberduck
DesignPro
DrawBerry
Elmedia Player
Eloquent
Evernote
Flux
Fraise
GPG Keychain
Geekbench 3
HandBrake
Image2Icon
Inklet
Isolator
Jumpcut
Karabiner
LaTeXiT
MDRP
MPlayer OSX Extended
OpenEmu
Paintbrush
Platypus
RealPlayer Cloud
Reflector 2
Remote Activity
SafariCacheExplorer
Senuti
Simple Comic
Snagit
StuffIt Expander
TeX Live Utility
TeXShop
Trampoline
TunesKit for Mac
UnRarX
Unison
VLC
Vox
Wallsaver
WebKit
Wine
WineBottler
Wondershare AllMyTube
XLD
XQuartz
Zoom
dff2dsf
iChm
iSkysoft iTube Studio
jfControlServer
smcFanControl

Miscellaneous bits elsewhere:
/Library/Application Support/GPGTools/GPGMail_Updater.app
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
/Library/PreferencePanes/GPGPreferences.prefPane
/Library/PreferencePanes/HyperDock.prefpane
/Library/PreferencePanes/VOX Preferences.prefPane
/Library/Services/GPGServices.service

a version of an app installed by MacPorts:
/opt/local/MacGPG2/libexec/MacGPG2_Updater.app

An app produced by WineBottler:
/Users/rlhamil/Desktop/abcAVI.app/Contents/Resources/Wine.bundle

And some leftovers from an OS update:
/Library/SystemMigration/History/Migration-AF8CBD75-2455-4B1C-A87C-296C69E2FABE/QuarantineRoot/usr/local.hold/MacGPG2/libexec/MacGPG2_Updater.app

@rwu2359
rwu2359 commented Feb 10, 2016

ApiKitchen
Clip Manager 4
Clip Manager 5
Cyberduck
DaisyDisk
ImageOptim
myFMbutler Clip Manager 3
PlistEdit Pro
Reflector
StuffIt
TeamViewer

@Kosmic-Halo

iFunbox
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

@Kosmic-Halo

Why is daisydisk appearing when it's downloaded from the App Store??

for a in $(ls /Applications); do defaults read "/Applications/$a/Contents/Info.plist" SUFeedURL 2>/dev/null | grep -v https >/dev/null && echo $a; done

for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done

http://www.daisydiskapp.com/downloads/profileInfo2.php

@rlhamil
rlhamil commented Feb 11, 2016

On Feb 10, 2016, at 19:41, Kosmic-Halo notifications@github.com wrote:

Why is daisydisk appearing when it's downloaded from the App Store??

Some apps come in both App Store and non App Store versions; this appears to be one of them. If purchased outside the App Store, that version needs an independent update mechanism, which is frequently Sparkle.

@Kosmic-Halo

@rlhamil I purchased it through Mac App Store though?

@jbarnaby

Probably because the Daisy Disk developers only use one code-base to develop the App. Then they release either an App Store version or a Non-App Store version. For the App Store version they would probably use a macro to disable the Sparkle framework.

@Kosmic-Halo

@jbarnaby Understandable, just not comprehending why the app is considered a "culprit" from the following commands.. You know?

I legitimately purchased it so I wouldn't expect any fault. Can I manually disable sparkle frameworks? I believe an update for it was around a month ago, (from Mac App Store) definitely this year if I'm not mistaken..

edit, I just visited their website and I'm 100% positive I didn't purchase it off of there lol.

2nd edit; the app was updated on the 2nd of November 2015 -.- According to Mac App Store

@jbarnaby

It would show-up since the Info plist has the update url. If you obtained the App via the Mac App Store then the Sparkle framework is likely to be disabled anyway since including violates the App Store rules about external updating.

Anyway, this list is just for Apps that use Sparkle rather than Apps that contain the problem.

@digitalmoksha

Versatil Markdown (and has been updated to use https, v1.1.4)

@ghost
ghost commented Feb 11, 2016

AppCleaner
BetterTouchTool
DetectX
Fitbit Connect
Fitbit Connect
Flux
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
TeamViewer
Transmit
VLC

@jimkessler

BookMacster
iTubeDownloader
RapidWeaver 6
RealTimes
StatPlus
TextSoap
VidConvert

@ctash
ctash commented Feb 11, 2016

Dash has been patched as of v3.2.2 (192)

@ghost
ghost commented Feb 12, 2016

BTT and VLC have been patched. Update now. BTT v1.55 (470) and VLC v2.2.2

@dyspop
dyspop commented Feb 12, 2016

iSkysoft Video Converter
Track-o-Bot
Yahoo! Messenger

These were mentioned but I have different applicaiton names for them for some reason:
Alarm Clock
Framer

Maybe this is better as a public gist?

@urmyfaith

AppCleaner
CodeRunner
GitX
Kaleidoscope
Reveal
SimPholders2
Sketch
smcFanControl
SourceTree
Spectacle
Typora
VLC
VOX

@Kosmic-Halo

@intechman13 So i noticed you mentioned Malwarebytes Anti-Malware being affected. When do you think it'll be safe to download again?

@Kosmic-Halo

@EdenSG I noticed you mentioned TunnelBear, but it uses https?

@domelias

My additions:

iReal Pro (if not from the app store)
textWrangler (probably OK, uses https)

@xtensions

BitTorrent
cDock
ChitChat
Cyberduck
Evernote
HandBrake
HyperSwitch
Icons8
LiteIcon
MAMP
Snagit
SourceTree
TeamViewer
uBar
Utilities
uTorrent
VLC

@erikmh
erikmh commented Feb 12, 2016

Some more apps that use Sparkle:

  • AnyList
  • BackupLoupe
  • EyeTV
  • Jump Desktop
  • Mountain
  • NameMangler [has been patched]
  • Nisus Writer Pro
  • Ortelius
  • QRecall 2.0 ß33
  • Witch [has been patched]
@ghost
ghost commented Feb 12, 2016

@Kosmic-Halo I will let you know when it is patched here: #743

@thotha
thotha commented Feb 12, 2016

ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)

@lNobodyl

I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

  • CyberGhost 5
  • Hard Disk Manager
  • XTabulato
@thotha
thotha commented Feb 12, 2016

VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git

@ghost
ghost commented Feb 12, 2016

VLC 2.2.2 release notes claimed to have patched the issue

@thotha
thotha commented Feb 12, 2016

@intechman13
well then either I did misinterpret the following with the help of Little Snitch?

bildschirmfoto 2016-02-12 um 13 09 47

@thotha
thotha commented Feb 12, 2016

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

@danieldizzy

Adium
AppZapper
DaisyDisk
Dyn Updater

Evernote

GPG Keychain
Icons8 App

MAMP

owncloud

SelfControl
Spectacle

TeamViewer

TeX
TeX
TeX
TeX

Transmission

Utilities
VLC

@ghost
ghost commented Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

@thotha
thotha commented Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

@gingerbeardman

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

@ghost
ghost commented Feb 13, 2016

I am adding PowerPhotos to the list.

@ChadTaljaardt

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

@domelias

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

@ghost
ghost commented Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

@ghost
ghost commented Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

@ghost
ghost commented Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

@ghost
ghost commented Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

@sweetppro

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

@lemkesoft

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

@TraderStf

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

@TraderStf

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

@ghost
ghost commented Feb 20, 2016

Thank you @TraderStf that was very helpful.

@Kosmic-Halo

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

@Kosmic-Halo

How about the apps Arthur, Viscosity, ClipMenu?

@TraderStf TraderStf referenced this issue in SummitRoute/osxlockdown Mar 11, 2016
Closed

Sparkle updater http option failed to fix. #36

@steakknife

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)
@simonkramer

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

@pornel
Member
pornel commented Apr 12, 2016

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

@ghost
ghost commented Jun 15, 2016 edited

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment