New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Applications using Sparkle #717

Open
kornelski opened this Issue Jan 20, 2016 · 150 comments

Comments

Projects
None yet
@kornelski
Member

kornelski commented Jan 20, 2016

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

  • Acorn
  • Adium
  • Bittorrent Sync
  • Carbon Copy Cloner
  • Cinch
  • Colloquy
  • Evernote
  • Fantastical
  • Fitbit Connect
  • Flux
  • Handbrake
  • iTerm
  • Karabiner
  • Sequel Pro
  • Sidestep
  • Slack
  • Transmission
  • Twitterrific
  • Vienna
  • Vivaldi
  • VLC
  • WebKit Nightly
  • Wine
@balthisar

This comment has been minimized.

@kevinboo

This comment has been minimized.

kevinboo commented Jan 21, 2016

@zorgiepoo

This comment has been minimized.

@jakepetroules

This comment has been minimized.

Contributor

jakepetroules commented Jan 24, 2016

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC
@w0lfschild

This comment has been minimized.

w0lfschild commented Jan 27, 2016

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

@nlap

This comment has been minimized.

nlap commented Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

@mikemcc

This comment has been minimized.

mikemcc commented Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

@mmlac-bv

This comment has been minimized.

mmlac-bv commented Jan 29, 2016

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

@DomT4

This comment has been minimized.

DomT4 commented Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim
@Miguel-Alonso

This comment has been minimized.

Miguel-Alonso commented Jan 29, 2016

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

@tergen

This comment has been minimized.

tergen commented Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

@xhacker

This comment has been minimized.

Contributor

xhacker commented Jan 29, 2016

  • Inboard
  • Arq
  • Texpad
  • Pomotodo
@jkbullard

This comment has been minimized.

Contributor

jkbullard commented Jan 30, 2016

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

@zorgiepoo

This comment has been minimized.

Member

zorgiepoo commented Jan 30, 2016

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

@spickermann

This comment has been minimized.

spickermann commented Jan 30, 2016

@ymhuang0808

This comment has been minimized.

@Xaositek

This comment has been minimized.

Xaositek commented Jan 30, 2016

  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC
@vitu

This comment has been minimized.

Contributor

vitu commented Jan 30, 2016

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer
@nootrope

This comment has been minimized.

nootrope commented Jan 30, 2016

Not mentioned as of this writing:

@pejacoby

This comment has been minimized.

pejacoby commented Jan 30, 2016

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

@davedittrich

This comment has been minimized.

davedittrich commented Jan 30, 2016

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

@sindarina

This comment has been minimized.

sindarina commented Jan 31, 2016

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

@gaige

This comment has been minimized.

gaige commented Feb 1, 2016

@inismor

This comment has been minimized.

inismor commented Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

@andrewvalentine

This comment has been minimized.

@Dejal

This comment has been minimized.

Dejal commented Feb 3, 2016

@thotha

This comment has been minimized.

thotha commented Feb 12, 2016

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

@danieldizzy

This comment has been minimized.

danieldizzy commented Feb 12, 2016

Adium
AppZapper
DaisyDisk
Dyn Updater

Evernote

GPG Keychain
Icons8 App

MAMP

owncloud

SelfControl
Spectacle

TeamViewer

TeX
TeX
TeX
TeX

Transmission

Utilities
VLC

@ghost

This comment has been minimized.

ghost commented Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

@thotha

This comment has been minimized.

thotha commented Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

@gingerbeardman

This comment has been minimized.

gingerbeardman commented Feb 13, 2016

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

@gloubibou

This comment has been minimized.

gloubibou commented Feb 13, 2016

@ghost

This comment has been minimized.

ghost commented Feb 13, 2016

I am adding PowerPhotos to the list.

@ChadTaljaardt

This comment has been minimized.

ChadTaljaardt commented Feb 13, 2016

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

@domelias

This comment has been minimized.

domelias commented Feb 13, 2016

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

@ghost

This comment has been minimized.

ghost commented Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

@ghost

This comment has been minimized.

ghost commented Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

@ghost

This comment has been minimized.

ghost commented Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

@ghost

This comment has been minimized.

ghost commented Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

@sweetppro

This comment has been minimized.

sweetppro commented Feb 14, 2016

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

@lemkesoft

This comment has been minimized.

lemkesoft commented Feb 16, 2016

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

@TraderStf

This comment has been minimized.

@TraderStf

This comment has been minimized.

TraderStf commented Feb 19, 2016

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

@TraderStf

This comment has been minimized.

TraderStf commented Feb 20, 2016

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

@ghost

This comment has been minimized.

ghost commented Feb 20, 2016

Thank you @TraderStf that was very helpful.

@Kosmic-Halo

This comment has been minimized.

Kosmic-Halo commented Feb 21, 2016

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

@Kosmic-Halo

This comment has been minimized.

Kosmic-Halo commented Feb 21, 2016

How about the apps Arthur, Viscosity, ClipMenu?

@steakknife

This comment has been minimized.

steakknife commented Mar 17, 2016

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)
@simonkramer

This comment has been minimized.

simonkramer commented Apr 12, 2016

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

@kornelski

This comment has been minimized.

Member

kornelski commented Apr 12, 2016

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

@ghost

This comment has been minimized.

ghost commented Jun 15, 2016

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment