New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Applications using Sparkle #717

Open
kornelski opened this Issue Jan 20, 2016 · 150 comments

Comments

Projects
None yet
@kornelski
Member

kornelski commented Jan 20, 2016

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

  • Acorn
  • Adium
  • Bittorrent Sync
  • Carbon Copy Cloner
  • Cinch
  • Colloquy
  • Evernote
  • Fantastical
  • Fitbit Connect
  • Flux
  • Handbrake
  • iTerm
  • Karabiner
  • Sequel Pro
  • Sidestep
  • Slack
  • Transmission
  • Twitterrific
  • Vienna
  • Vivaldi
  • VLC
  • WebKit Nightly
  • Wine
@radekk
@balthisar

This comment has been minimized.

Show comment
Hide comment
@kevinboo

This comment has been minimized.

Show comment
Hide comment
@kevinboo

kevinboo commented Jan 21, 2016

@zorgiepoo

This comment has been minimized.

Show comment
Hide comment
@jakepetroules

This comment has been minimized.

Show comment
Hide comment
@jakepetroules

jakepetroules Jan 24, 2016

Contributor
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC
Contributor

jakepetroules commented Jan 24, 2016

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC
@w0lfschild

This comment has been minimized.

Show comment
Hide comment
@w0lfschild

w0lfschild Jan 27, 2016

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

w0lfschild commented Jan 27, 2016

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

@nlap

This comment has been minimized.

Show comment
Hide comment
@nlap

nlap Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

nlap commented Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

@mikemcc

This comment has been minimized.

Show comment
Hide comment
@mikemcc

mikemcc Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

mikemcc commented Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

@mmlac-bv

This comment has been minimized.

Show comment
Hide comment
@mmlac-bv

mmlac-bv Jan 29, 2016

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

mmlac-bv commented Jan 29, 2016

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

@DomT4

This comment has been minimized.

Show comment
Hide comment
@DomT4

DomT4 Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim

DomT4 commented Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim
@Miguel-Alonso

This comment has been minimized.

Show comment
Hide comment
@Miguel-Alonso

Miguel-Alonso Jan 29, 2016

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

Miguel-Alonso commented Jan 29, 2016

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

@tergen

This comment has been minimized.

Show comment
Hide comment
@tergen

tergen Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

tergen commented Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

@xhacker

This comment has been minimized.

Show comment
Hide comment
@xhacker

xhacker Jan 29, 2016

Contributor
  • Inboard
  • Arq
  • Texpad
  • Pomotodo
Contributor

xhacker commented Jan 29, 2016

  • Inboard
  • Arq
  • Texpad
  • Pomotodo
@jkbullard

This comment has been minimized.

Show comment
Hide comment
@jkbullard

jkbullard Jan 30, 2016

Contributor

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

Contributor

jkbullard commented Jan 30, 2016

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

@zorgiepoo

This comment has been minimized.

Show comment
Hide comment
@zorgiepoo

zorgiepoo Jan 30, 2016

Member

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

Member

zorgiepoo commented Jan 30, 2016

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

@spickermann

This comment has been minimized.

Show comment
Hide comment
@spickermann

spickermann commented Jan 30, 2016

@ymhuang0808

This comment has been minimized.

Show comment
Hide comment
@Xaositek

This comment has been minimized.

Show comment
Hide comment
@Xaositek

Xaositek Jan 30, 2016

  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC

Xaositek commented Jan 30, 2016

  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC
@vitu

This comment has been minimized.

Show comment
Hide comment
@vitu

vitu Jan 30, 2016

Contributor

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer
Contributor

vitu commented Jan 30, 2016

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer
@nootrope

This comment has been minimized.

Show comment
Hide comment
@nootrope

nootrope Jan 30, 2016

Not mentioned as of this writing:

nootrope commented Jan 30, 2016

Not mentioned as of this writing:

@pejacoby

This comment has been minimized.

Show comment
Hide comment
@pejacoby

pejacoby Jan 30, 2016

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

pejacoby commented Jan 30, 2016

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

@davedittrich

This comment has been minimized.

Show comment
Hide comment
@davedittrich

davedittrich Jan 30, 2016

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

davedittrich commented Jan 30, 2016

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

@sindarina

This comment has been minimized.

Show comment
Hide comment
@sindarina

sindarina Jan 31, 2016

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

sindarina commented Jan 31, 2016

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

@gaige

This comment has been minimized.

Show comment
Hide comment
@gaige

gaige commented Feb 1, 2016

@inismor

This comment has been minimized.

Show comment
Hide comment
@inismor

inismor Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

inismor commented Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

@andrewvalentine

This comment has been minimized.

Show comment
Hide comment
@Dejal

This comment has been minimized.

Show comment
Hide comment

Dejal commented Feb 3, 2016

@laurentnguyen

This comment has been minimized.

Show comment
Hide comment
@laurentnguyen

laurentnguyen Feb 3, 2016

  • AppDelete
  • duet
  • Flux
  • KeepingYouAwake
  • RightFont
  • SizeUp
  • Sketch
  • uTorrent
  • VLC

laurentnguyen commented Feb 3, 2016

  • AppDelete
  • duet
  • Flux
  • KeepingYouAwake
  • RightFont
  • SizeUp
  • Sketch
  • uTorrent
  • VLC
@SevenBits

This comment has been minimized.

Show comment
Hide comment

SevenBits commented Feb 3, 2016

@rasterbate

This comment has been minimized.

Show comment
Hide comment
@rasterbate

rasterbate Feb 4, 2016

aText
Daylite
Data Rescue 4
Shiori
Trickster
Wine Bottler

rasterbate commented Feb 4, 2016

aText
Daylite
Data Rescue 4
Shiori
Trickster
Wine Bottler

@manuseoane

This comment has been minimized.

Show comment
Hide comment

manuseoane commented Feb 4, 2016

@seltzered

This comment has been minimized.

Show comment
Hide comment
@seltzered

seltzered Feb 5, 2016

Shortcat by @chendo
Jumpcut
Reveal
Switch
Time Sink
Radiant Player
Mixtape
Prizmo
nvALT
OpenSCAD
JewelryBox
Kaleidoscope
Drive Genius 4
Camtasia 2
DragonDrop
Turbotax (2012-2014)
VideoSpec

seltzered commented Feb 5, 2016

Shortcat by @chendo
Jumpcut
Reveal
Switch
Time Sink
Radiant Player
Mixtape
Prizmo
nvALT
OpenSCAD
JewelryBox
Kaleidoscope
Drive Genius 4
Camtasia 2
DragonDrop
Turbotax (2012-2014)
VideoSpec

@sveinbjornt

This comment has been minimized.

Show comment
Hide comment
@sveinbjornt

sveinbjornt commented Feb 8, 2016

@craigburdett

This comment has been minimized.

Show comment
Hide comment
@craigburdett

craigburdett Feb 9, 2016

Bento 3
Billings
Camtasia 2
Coda 2
ColorMunki Smile
DaisyDisk
Data Rescue 3
Flux
FontAgent Pro 6
Geekbench 3
HandBrake
iExplorer
ImageOptim
Miro
Monolingual
PowerPhotos
Scrivener
StuffIt Expander
Timing
VLS
Wondershare Data Recovery

craigburdett commented Feb 9, 2016

Bento 3
Billings
Camtasia 2
Coda 2
ColorMunki Smile
DaisyDisk
Data Rescue 3
Flux
FontAgent Pro 6
Geekbench 3
HandBrake
iExplorer
ImageOptim
Miro
Monolingual
PowerPhotos
Scrivener
StuffIt Expander
Timing
VLS
Wondershare Data Recovery

@dxdc

This comment has been minimized.

Show comment
Hide comment
@dxdc

dxdc commented Feb 9, 2016

MSG Viewer for Outlook (http://msgviewerforoutlook.com)

@helicine

This comment has been minimized.

Show comment
Hide comment
@helicine

helicine Feb 9, 2016

Air Video Server HD
Unison
xACT
Audio Hijack
Escort Detector Tools
Lingon X

helicine commented Feb 9, 2016

Air Video Server HD
Unison
xACT
Audio Hijack
Escort Detector Tools
Lingon X

@jeremybrooks

This comment has been minimized.

Show comment
Hide comment
@jeremybrooks

jeremybrooks Feb 9, 2016

Adium
Disco
Fission
OpenEmu
SourceTree
XLD

jeremybrooks commented Feb 9, 2016

Adium
Disco
Fission
OpenEmu
SourceTree
XLD

@Kosmic-Halo

This comment has been minimized.

Show comment
Hide comment
@Kosmic-Halo

Kosmic-Halo Feb 12, 2016

@EdenSG I noticed you mentioned TunnelBear, but it uses https?

Kosmic-Halo commented Feb 12, 2016

@EdenSG I noticed you mentioned TunnelBear, but it uses https?

@domelias

This comment has been minimized.

Show comment
Hide comment
@domelias

domelias Feb 12, 2016

My additions:

iReal Pro (if not from the app store)
textWrangler (probably OK, uses https)

domelias commented Feb 12, 2016

My additions:

iReal Pro (if not from the app store)
textWrangler (probably OK, uses https)

@xtensions

This comment has been minimized.

Show comment
Hide comment
@xtensions

xtensions Feb 12, 2016

BitTorrent
cDock
ChitChat
Cyberduck
Evernote
HandBrake
HyperSwitch
Icons8
LiteIcon
MAMP
Snagit
SourceTree
TeamViewer
uBar
Utilities
uTorrent
VLC

xtensions commented Feb 12, 2016

BitTorrent
cDock
ChitChat
Cyberduck
Evernote
HandBrake
HyperSwitch
Icons8
LiteIcon
MAMP
Snagit
SourceTree
TeamViewer
uBar
Utilities
uTorrent
VLC

@erikmh

This comment has been minimized.

Show comment
Hide comment
@erikmh

erikmh Feb 12, 2016

Some more apps that use Sparkle:

  • AnyList
  • BackupLoupe
  • EyeTV
  • Jump Desktop
  • Mountain
  • NameMangler [has been patched]
  • Nisus Writer Pro
  • Ortelius
  • QRecall 2.0 ß33
  • Witch [has been patched]

erikmh commented Feb 12, 2016

Some more apps that use Sparkle:

  • AnyList
  • BackupLoupe
  • EyeTV
  • Jump Desktop
  • Mountain
  • NameMangler [has been patched]
  • Nisus Writer Pro
  • Ortelius
  • QRecall 2.0 ß33
  • Witch [has been patched]
@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 12, 2016

@Kosmic-Halo I will let you know when it is patched here: #743

ghost commented Feb 12, 2016

@Kosmic-Halo I will let you know when it is patched here: #743

@thotha

This comment has been minimized.

Show comment
Hide comment
@thotha

thotha Feb 12, 2016

ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)

thotha commented Feb 12, 2016

ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)

@lNobodyl

This comment has been minimized.

Show comment
Hide comment
@lNobodyl

lNobodyl Feb 12, 2016

I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

  • CyberGhost 5
  • Hard Disk Manager
  • XTabulato

lNobodyl commented Feb 12, 2016

I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

  • CyberGhost 5
  • Hard Disk Manager
  • XTabulato
@thotha

This comment has been minimized.

Show comment
Hide comment
@thotha

thotha Feb 12, 2016

VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git

thotha commented Feb 12, 2016

VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 12, 2016

VLC 2.2.2 release notes claimed to have patched the issue

ghost commented Feb 12, 2016

VLC 2.2.2 release notes claimed to have patched the issue

@thotha

This comment has been minimized.

Show comment
Hide comment
@thotha

thotha Feb 12, 2016

@intechman13
well then either I did misinterpret the following with the help of Little Snitch?

bildschirmfoto 2016-02-12 um 13 09 47

thotha commented Feb 12, 2016

@intechman13
well then either I did misinterpret the following with the help of Little Snitch?

bildschirmfoto 2016-02-12 um 13 09 47

@thotha

This comment has been minimized.

Show comment
Hide comment
@thotha

thotha Feb 12, 2016

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

thotha commented Feb 12, 2016

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

@danieldizzy

This comment has been minimized.

Show comment
Hide comment
@danieldizzy

danieldizzy Feb 12, 2016

Adium
AppZapper
DaisyDisk
Dyn Updater

Evernote

GPG Keychain
Icons8 App

MAMP

owncloud

SelfControl
Spectacle

TeamViewer

TeX
TeX
TeX
TeX

Transmission

Utilities
VLC

danieldizzy commented Feb 12, 2016

Adium
AppZapper
DaisyDisk
Dyn Updater

Evernote

GPG Keychain
Icons8 App

MAMP

owncloud

SelfControl
Spectacle

TeamViewer

TeX
TeX
TeX
TeX

Transmission

Utilities
VLC

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

ghost commented Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

@thotha

This comment has been minimized.

Show comment
Hide comment
@thotha

thotha Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

thotha commented Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

@gingerbeardman

This comment has been minimized.

Show comment
Hide comment
@gingerbeardman

gingerbeardman Feb 13, 2016

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

gingerbeardman commented Feb 13, 2016

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

@gloubibou

This comment has been minimized.

Show comment
Hide comment
@gloubibou

gloubibou commented Feb 13, 2016

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 13, 2016

I am adding PowerPhotos to the list.

ghost commented Feb 13, 2016

I am adding PowerPhotos to the list.

@ChadTaljaardt

This comment has been minimized.

Show comment
Hide comment
@ChadTaljaardt

ChadTaljaardt Feb 13, 2016

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

ChadTaljaardt commented Feb 13, 2016

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

@domelias

This comment has been minimized.

Show comment
Hide comment
@domelias

domelias Feb 13, 2016

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

domelias commented Feb 13, 2016

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

ghost commented Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

ghost commented Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

ghost commented Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

ghost commented Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

@nudefireninja
@sweetppro

This comment has been minimized.

Show comment
Hide comment
@sweetppro

sweetppro Feb 14, 2016

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

sweetppro commented Feb 14, 2016

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

@lemkesoft

This comment has been minimized.

Show comment
Hide comment
@lemkesoft

lemkesoft Feb 16, 2016

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

lemkesoft commented Feb 16, 2016

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

@TraderStf

This comment has been minimized.

Show comment
Hide comment
@TraderStf

This comment has been minimized.

Show comment
Hide comment
@TraderStf

TraderStf Feb 19, 2016

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

TraderStf commented Feb 19, 2016

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

@TraderStf

This comment has been minimized.

Show comment
Hide comment
@TraderStf

TraderStf Feb 20, 2016

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

TraderStf commented Feb 20, 2016

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Feb 20, 2016

Thank you @TraderStf that was very helpful.

ghost commented Feb 20, 2016

Thank you @TraderStf that was very helpful.

@Kosmic-Halo

This comment has been minimized.

Show comment
Hide comment
@Kosmic-Halo

Kosmic-Halo Feb 21, 2016

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

Kosmic-Halo commented Feb 21, 2016

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

@Kosmic-Halo

This comment has been minimized.

Show comment
Hide comment
@Kosmic-Halo

Kosmic-Halo Feb 21, 2016

How about the apps Arthur, Viscosity, ClipMenu?

Kosmic-Halo commented Feb 21, 2016

How about the apps Arthur, Viscosity, ClipMenu?

@steakknife

This comment has been minimized.

Show comment
Hide comment
@steakknife

steakknife Mar 17, 2016

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)

steakknife commented Mar 17, 2016

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)
@simonkramer

This comment has been minimized.

Show comment
Hide comment
@simonkramer

simonkramer Apr 12, 2016

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

simonkramer commented Apr 12, 2016

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

@kornelski

This comment has been minimized.

Show comment
Hide comment
@kornelski

kornelski Apr 12, 2016

Member

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

Member

kornelski commented Apr 12, 2016

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Jun 15, 2016

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

ghost commented Jun 15, 2016

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment