Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Applications using Sparkle #717

Open
kornelski opened this issue Jan 20, 2016 · 149 comments
Open

Applications using Sparkle #717

kornelski opened this issue Jan 20, 2016 · 149 comments

Comments

@kornelski
Copy link
Member

@kornelski kornelski commented Jan 20, 2016

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

  • Acorn
  • Adium
  • Bittorrent Sync
  • Carbon Copy Cloner
  • Cinch
  • Colloquy
  • Evernote
  • Fantastical
  • Fitbit Connect
  • Flux
  • Handbrake
  • iTerm
  • Karabiner
  • Sequel Pro
  • Sidestep
  • Slack
  • Transmission
  • Twitterrific
  • Vienna
  • Vivaldi
  • VLC
  • WebKit Nightly
  • Wine
@kevinboo
Copy link

@kevinboo kevinboo commented Jan 21, 2016

@jakepetroules
Copy link
Contributor

@jakepetroules jakepetroules commented Jan 24, 2016

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC
@w0lfschild
Copy link

@w0lfschild w0lfschild commented Jan 27, 2016

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

@nlap
Copy link

@nlap nlap commented Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

@mikemcc
Copy link

@mikemcc mikemcc commented Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

@mmlac-bv
Copy link

@mmlac-bv mmlac-bv commented Jan 29, 2016

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

@DomT4
Copy link

@DomT4 DomT4 commented Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim
@Miguel-Alonso
Copy link

@Miguel-Alonso Miguel-Alonso commented Jan 29, 2016

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

@tergen
Copy link

@tergen tergen commented Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

@xhacker
Copy link
Contributor

@xhacker xhacker commented Jan 29, 2016

  • Inboard
  • Arq
  • Texpad
  • Pomotodo
@jkbullard
Copy link
Contributor

@jkbullard jkbullard commented Jan 30, 2016

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

@zorgiepoo
Copy link
Member

@zorgiepoo zorgiepoo commented Jan 30, 2016

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

@spickermann
Copy link

@spickermann spickermann commented Jan 30, 2016

@Xaositek
Copy link

@Xaositek Xaositek commented Jan 30, 2016

  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC
@vitu
Copy link
Contributor

@vitu vitu commented Jan 30, 2016

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer
@nootrope
Copy link

@nootrope nootrope commented Jan 30, 2016

Not mentioned as of this writing:

@pejacoby
Copy link

@pejacoby pejacoby commented Jan 30, 2016

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

@davedittrich
Copy link

@davedittrich davedittrich commented Jan 30, 2016

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

@sindarina
Copy link

@sindarina sindarina commented Jan 31, 2016

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

@gaige
Copy link

@gaige gaige commented Feb 1, 2016

@inismor
Copy link

@inismor inismor commented Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

@laurentnguyen
Copy link

@laurentnguyen laurentnguyen commented Feb 3, 2016

  • AppDelete
  • duet
  • Flux
  • KeepingYouAwake
  • RightFont
  • SizeUp
  • Sketch
  • uTorrent
  • VLC
@thotha
Copy link

@thotha thotha commented Feb 12, 2016

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

@danieldizzy
Copy link

@danieldizzy danieldizzy commented Feb 12, 2016

Adium
AppZapper
DaisyDisk
Dyn Updater

Evernote

GPG Keychain
Icons8 App

MAMP

owncloud

SelfControl
Spectacle

TeamViewer

TeX
TeX
TeX
TeX

Transmission

Utilities
VLC

@ghost
Copy link

@ghost ghost commented Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

@thotha
Copy link

@thotha thotha commented Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

@gingerbeardman
Copy link

@gingerbeardman gingerbeardman commented Feb 13, 2016

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

@gloubibou
Copy link

@gloubibou gloubibou commented Feb 13, 2016

@ghost
Copy link

@ghost ghost commented Feb 13, 2016

I am adding PowerPhotos to the list.

@ChadTaljaardt
Copy link

@ChadTaljaardt ChadTaljaardt commented Feb 13, 2016

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

@domelias
Copy link

@domelias domelias commented Feb 13, 2016

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

@ghost
Copy link

@ghost ghost commented Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

@ghost
Copy link

@ghost ghost commented Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

@ghost
Copy link

@ghost ghost commented Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

@ghost
Copy link

@ghost ghost commented Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

@sweetppro
Copy link

@sweetppro sweetppro commented Feb 14, 2016

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

@lemkesoft
Copy link

@lemkesoft lemkesoft commented Feb 16, 2016

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

@TraderStf
Copy link

@TraderStf TraderStf commented Feb 19, 2016

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

@TraderStf
Copy link

@TraderStf TraderStf commented Feb 20, 2016

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

@ghost
Copy link

@ghost ghost commented Feb 20, 2016

Thank you @TraderStf that was very helpful.

@Kosmic-Halo
Copy link

@Kosmic-Halo Kosmic-Halo commented Feb 21, 2016

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

@Kosmic-Halo
Copy link

@Kosmic-Halo Kosmic-Halo commented Feb 21, 2016

How about the apps Arthur, Viscosity, ClipMenu?

@steakknife
Copy link

@steakknife steakknife commented Mar 17, 2016

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)
@simonkramer
Copy link

@simonkramer simonkramer commented Apr 12, 2016

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

@kornelski
Copy link
Member Author

@kornelski kornelski commented Apr 12, 2016

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

@ghost
Copy link

@ghost ghost commented Jun 15, 2016

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet