Applications using Sparkle #717
110 participants
and others
- CCMenu (https://github.com/erikdoe/ccmenu) +
- Clippy (https://github.com/Clipy/Clipy) +
- Clyppan (https://github.com/geoffbeier/clyppan) +
- DEVONthink Pro
- DuetDisplay +
- Emmet plugin (https://github.com/emmetio/Emmet.sugar) +
- GrowlMail (https://github.com/rudyrichter/GrowlMail) +
- HipChat
- ImageAlpha (https://github.com/pornel/ImageAlpha) +
- iPlayer Automator (https://github.com/GetiPlayerAutomator/get-iplayer-automator) +
- Mailbox
- Mou +
- OpenEmu (https://github.com/OpenEmu/OpenEmu)
- Panda Mac (https://github.com/pablosproject/Panda-Mac-app) +
- parkleDotNET (https://github.com/iKenndac/SparkleDotNET) +
- ProjectPlus (https://github.com/ciaran/projectplus) +
- Reggy (https://github.com/samsouder/reggy) +
- SelfControl (https://github.com/SelfControlApp/selfcontrol)
- SourceTree
- TCMPortMapper (https://github.com/mugginsoft/TCMPortMapper) +
- TeamViewer
- Teleport (https://github.com/abyssoft/teleport) +
- Tunnelblick (https://github.com/Tunnelblick/Tunnelblick)
- Viscosity
- VyprVPN
- ZFS Plugin (https://github.com/Dukem/ZFS-Dumodule) +
- Zulip (https://github.com/zulip/zulip-desktop)
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
- Colloquy
- Cyberduck
- Dashlane
- Fabric
- Gitter
- Goofy
- ImageOptim
- Messenger
- Mou
- Quicken 2016
- Slack
- SourceTree
- TeamViewer
- UnicodeChecker
- XQuartz
- VLC
AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD
AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX
0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app
Ones not mentioned already:
- Dash
- DS_Store Cleaner
- KeepingYouAwake
- Keka
- Malwarebytes Anti-Malware
- Pacifist
- Skim
Um, so an application using Sparkle is an Issue? Why?
I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.
@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability
- Slate.app (https://github.com/jigish/slate)
- TeX/BibDesk.app (https://tug.org/mactex/)
- TeX/LaTeXiT.app (https://tug.org/mactex/)
- TeX/TeXShop.app (https://tug.org/mactex/)
- Tower.app (https://www.git-tower.com/)
- AppZapper
- BetterTouchTool
- Coda 2
- Colloquy
- duet
- Flux
- HandBrake
- iTerm
- OpenEmu
- Sequel Pro
- Transmission
- VLC
- AirRadar
- Audiomate
- BeadedSpice
- Bleep
- ColorFinale
- ControlPlane
- FontStand
- GeekTool
- gfxCardStatus
- GitUp
- Hammerspoon
- Hocus Focus
- IconJar
- Infinit
- InsomniaX
- IP Scanner
- iStopMotion
- LiveReload
- Loading
- MenubarStats
- Miro Video Converter
- Miro
- NetNewsWire
- NiceCast
- Noun Project
- OSCulator
- Phun
- Rinoceros
- RightFont
- Ring
- Sandvox
- SaneDesk
- SkyFonts
- smcFanControl
- Sofortbild
- Splice
- Stand
- Tomahawk
- TunnelBear
- Typora
- Whiskey
Not yet mentioned:
- A Better Finder Attributes
- A Better Finder Rename
- Alfred
- BetterZip
- Big Mean Folder Machine
- Clarify
- CleanMyMac (update framework based on Sparkle)
- Cookie
- JavaApplet (/Library/Internet Plugin-Ins)
- GPG Suite
- iMazing (update framework based on Sparkle)
- Localization Suite (Localization Manager + Localization Dictionary + Localizer)
- Mactracker
- Moom
- MplayerX
- NetSpeedy
- PhotoBulk
- Piezo
- Posterizo
- PowerPhotos
- Radar
- WordCounter
- XliffViewer
Not mentioned as of this writing:
- TogglDesktop
- Skitch (related to Evernote)
CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007
is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?
Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~
HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey
- Ghostlab (https://www.vanamco.com/ghostlab/)
- Cog (http://cogx.org/index.php)
- Paintbrush (http://paintbrush.sourceforge.net/)
- Simon (http://www.dejal.com/simon/)
- Time Out 2 (http://www.dejal.com/timeout/)
- AppDelete
- duet
- Flux
- KeepingYouAwake
- RightFont
- SizeUp
- Sketch
- uTorrent
- VLC
Bento 3
Billings
Camtasia 2
Coda 2
ColorMunki Smile
DaisyDisk
Data Rescue 3
Flux
FontAgent Pro 6
Geekbench 3
HandBrake
iExplorer
ImageOptim
Miro
Monolingual
PowerPhotos
Scrivener
StuffIt Expander
Timing
VLS
Wondershare Data Recovery
Air Video Server HD
Unison
xACT
Audio Hijack
Escort Detector Tools
Lingon X
Here's my list of apps using HTTP (using @haikusw's command):
Adze Lite
Antidote 8
AppCleaner
Bartender
Beamer
Carbon Copy Cloner 2
Chocolat
CleanMyMac 2
CloudyTabs
CrossOver
Dash
Deploymate
Disk Drill
duet
Geekbench
gfxCardStatus
HoudahGeo 2
HoudahGeo
InsomniaX
iTeleport Connect
Live Interior 3D Pro
Mactracker
Malwarebytes Anti-Malware
Money
MoveToAppleMusic
Paintbrush
Plug
Quinn
Rdio
Reflector
Sequel Pro
Shapes
Sharepod
Snagit
Soulver
SourceTree
Sublime Text
TG Pro
Transmission
Transmit
Utilities/XQuartz
uTorrent
VLC Setup
Carbon Copy Cloner
Festify
Hopper Disassembler v3
Kext Wizard
Last.fm
LiteIcon
QuickRadar
Sketch Toolbox
BetterTouchTool
CocosBuilder
iVPN
Trailer
xScope
And here's my complete list of apps (for the original purposes of this thread):
Air Video Server HD
AirServer
Antidote 8
AppCleaner
Archiver
Bartender
Beamer
BetterTouchTool
Capo
Chatology
Chocolat
CleanMyMac 2
CloudyTabs
CocoaPods
CocosBuilder
Coda 2
CodeKit
CodeRunner
Crashlytics
CrossOver
Dash
Dashlane
Deploymate
Disk Drill
DiskAid
DropletManager
Dropzone-2
duet
Festify
Flux
Geekbench 3
gfxCardStatus
GitUp
Goofy
goofy-master
HandBrake
Harvest
HipChat
Hirundo
Hopper Disassembler v3
HoudahGeo
InsomniaX
iTeleport Connect
iTerm
iVPN
JollysFastVNC
Kaleidoscope
Kext Wizard
Knock
Last.fm
LiteIcon
Live Interior 3D Pro
maciej's Playlist Importer
Mactracker
Mailbox
Malwarebytes Anti-Malware
Money
MouseRecorder
MoveToAppleMusic
MPlayerX
Notifyr
OpenEmu
Paintbrush
PaintCode
Paw
Plug
QuickRadar
Quinn
Rdio
Reeder
Reflector
RescueTime
Reveal
Sequel Pro
Shapes
Sharepod
Sketch
Sketch Toolbox
Snagit
Soulver
SourceTree
Splashtop
TeamViewer
TG Pro
Tower
Trailer
Transmission
Transmit
TripMode
XQuartz
uTorrent
Versions
VLC
Waltr
Winclone
xScope
My List
duet.app
PopClip.app
SourceTree.app
Sublime Text 2.app
TeamViewer.app
iStumbler.app
Bartender 2
BitTorrent
Colloquy
Dash
Drive
Fabric
Fake
Fluid
Fluid
Flux
Gitter
GitUp
iTerm
Karabiner
Knock
Malwarebytes Anti-Malware
MAMP
OpenSCAD
Repetier-Host Mac
Seil
SelfControl
Utilities
VLC
Hey guys, apparently a better way to check is by running this
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Majority of apps I have use https to do Sparkle updates
Look for the apps using http and not https
So far I only have 2
icons8
utorrent
This is a list for apps that use Sparkle, no...? "Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago. Let's update it! Please add yours." Rather than a list of affected apps...?
@jbarnaby Oh man you're so right, I just followed the Arstechnica link.
Ouch.. theres A LOT. Even when I used the method that @buildabar suggested (http only)
HTTP only
Bittorrent
HockeyApp
Dropzone3
Fake
Flexiglass
Fluid
FramerJS
Miro Video Converter
MongoHub
Screenflow
SourceTree
Sublime Text 3
Throng
UnrarX
VLC
Vagrant Manager
All my apps running Sparkle
BitTorrent
CopyClip
DropShare
DropZone 3
Fake
FlexiGlass
Fluid
Framer Studio
Goofy
Sequel Pro
Miro Video Converter
MongoHub
Paparazzi!
Poedit
ScreenFlow
Sequel Pro
Sketch
SourceTree
TeamViewer
Throng
Tansmit
Trello
Tunnelblick
UnRarX
XQuartz
Vagrant Manager
VLC
Zeplin
HTTP only
BitTorrent Sync
Book Collector (Collectorz.com)
Duet (Duet Display)
Movie Collector (Collectorz.com)
Sublime Text 2
TripMode
uTorrent
DaisyDisk (though this one's on the App Store)
MyHarmony
SequelPro
Unarchiver
VLC
uTorrent
Here's a tweak on @buildabar's command that directly lists the names of the apps that don't use https on their SUFeedURLs:
for a in $(ls /Applications); do defaults read "/Applications/$a/Contents/Info.plist" SUFeedURL 2>/dev/null | grep -v https >/dev/null && echo $a; done
Just VLC for me
Please note that discussing which apps are using http or https is off-topic to this thread.
hey @fcw doesn't quite work. When I run without I have more http apps
Accordance 11
Alarm Clock Pro 2
Alarm Clock Pro
AppCleaner
Art Text 2
Audio Hijack Pro
BoinxTV
ClamXav
Comic Life 2
Comic Life 3
Comic Life Magiq
Comic Life
Contour
Corel Painter Sketch Pad
CoverScout 3
DesktopShelves
DiskMaker X 4b4
DiskMaker X 5
Downie (978)
Downie
Drive Genius 3
Ember
Focus 2
Focus
Font Finagler
ForkLift
FotoMagico 3.6
FotoMagico 3.8.8
FotoMagico
Get Backup 2.
GraphicConverter 7
GraphicConverter 8
GraphicConverter 9
HandBrake
iExplorer
iPhone Explorer
iSale 5
iShowU HD
Lumio
MacJournal
MindNode Pro
Nicecast
NoteBook
Pacifist
PDFpen
Phone To Mac
PhotoPresenter
Picturesque
Scapple
ScreenFlow
Scrivener
SMART Utility 2.1.2
Snapheal PRO
Snapheal
SongGenie 2
SongGenie
StoryMill
Swift Publisher 3
Toast Titanium
Tonality Pro
XQuartz
VLC
Winclone
AirServer
Ambify
Audio Hijack
BitTorrent
Blue Jeans Scheduler for Mac
Cisco Jabber
Coda 2
Conductr Server
DEVONthink
Fluid
Fluid
Geekbench 3
HandBrake
HipChat
iTerm-2
Lookback
Myo Connect
NetSpot
Opacity
OpenEmu
OSCulator ƒ
PhoneExpander
ScreenFlow
Sequel Pro
Silverback
Sketch
SoundSoap
SourceTree
SousChef
Spark
Splice
TechTool Pro 8
Toast 14 Titanium
Transmit
VLC
WhatSize
WireTap Studio
gfxCardStatus
Go2Shell
GPG Keychain
HandBrake
NetSpot
Reflector
Sequel Pro
SnelNL
XQuartz
VLC
WiTopia
Using HTTP:
BetterTouchTool
Focus 2
Jungle Disk
Mactracker
MiniPlayer
QuickSync
VideoPier
Wine
Using HTTPS:
DaisyDisk
DreamShot
Gridmount
Jungledisk
Slack
Astropad
GlyphDesigner
iAlertU - I maintain this one myself, so I'll see what I can do about updating it.
/applications/Adium.app/Contents/Frameworks/Sparkle.framework
/applications/cDock.app/Contents/Resources/updates/wUpdater.app/Contents/Resource/cocoaDialog.app/Contents/Frameworks/Sparkle.framework
/applications/ExpressVPN.app/Contents/Frameworks/Sparkle.framework
/applications/GPG Keychain.app/Contents/Frameworks/Sparkle.framework
/applications/TeamViewer.app/Contents/Frameworks/Sparkle.framework
/applications/uTorrent.app/Contents/Frameworks/Sparkle.framework
/applications/Vienna.app/Contents/Frameworks/Sparkle.framework
/applications/VLC.app/Contents/Frameworks/Sparkle.framework
Where's @haikusw's command? This is all, not HTTP only:
/Applications/AppZapper.app/Contents/Frameworks/Sparkle.framework
/Applications/DaisyDisk.app/Contents/Frameworks/Sparkle.framework
/Applications/Debookee.app/Contents/Frameworks/Sparkle.framework
/Applications/ExpressVPN.app/Contents/Frameworks/Sparkle.framework
/Applications/OpenEmu.app/Contents/Frameworks/Sparkle.framework
/Applications/Reveal.app/Contents/Frameworks/Sparkle.framework
/Applications/Transmission.app/Contents/Frameworks/Sparkle.framework
/Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
/Applications/VLC.app/Contents/Frameworks/Sparkle.framework
/Applications/xACT.app/Contents/Frameworks/Sparkle.framework
Chocolat
DiskMaker X 5
Fabric
Geekbench 3
ImageOptim
Loopback
MacDown
MacID
Magic Spell
OpenEmu
Piezo
QuickRadar
Screenhero
Sequel Pro
Sketch
Tower
Utilities
XLD
xScope
Airfoil Speakers (https://www.rogueamoeba.com/airfoil/)
All2MP3 (http://www.macupdate.com/app/mac/27103/all2mp3)
Comic Book Lover (https://www.bitcartel.com/comicbooklover/macosx.html)
Couleurs (https://couleursapp.com)
SQLEditor (https://www.malcolmhardie.com/sqleditor/)
Subtitiles (http://subtitlesapp.com/fr/)
Sparkle Apps Not Previously Listed (all using HTTPS)
Air Display Host
Airfoil
Borderlands
Bowtie
CDpedia
Default Folder X
Hobo
Itsycal
M3Unify
PlistEdit Pro
PowerTunes
RipIt
Senuti
Simple Comic
Tagalicious
Triumph
TwistedWave
Vitamin-R
X-LosslessDecoder
Yate
HTTP Update mechanism (previously listed):
Scrivener
Subfolder Search Note
since the prior command only work for Apps not in a subfolder of Applications here are 2 that work for apps in a subfolder:
Includes the subfolder(s):
find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/.*,\1,'Removes subfolder(s):
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'
- Bartender 2
- BlueHarvest
- DaisyDisk
- Flux
- MacID
- Sketch
- Spectacle
- Transmission
- UnRarX
- Utilities/NoSleep
- VLC
Here's mine:
- BetterTouchTool
- coconutbattery
- CyberDuck
- Flux
- HipChat
- HyperSwitch
- IconJar
- ImageOptim
- iTerm
- Keka
- LiteIcon
- Macaw
- Monolingual
- Radiant Player
- Rdio
- SelfControl
- Shady
- SimpleComic
- Sketch
- SourceTree
- Stand
- Tunnelblick
- uBar
- Unicorn
- VLC
- XQuartz
Audio Editor
coconutBattery
Commander One
Cyberduck
Isolator
DEVONthink Pro
Digital Sentry
Fantastical
Flux
Frizzix
iBackup Viewer
JBidwatcher
JollysFastVNC
Keka
nvALT
QuickSync
Spectacle
TaskPaper
TeamViewer
Tedium
Transmit
Tunnelblick
TypeIt4Me
Baseline
Cocktail
fseventer
Lingon X 2.3.2
AppCleaner
backupList+
BatChmod
Carbon Copy Cloner 3.4.7
iDMG
DaisyDisk
dupeGuru
Utilities/Gas Mask
VLC
- A Better Finder Rename 9
- AppCleaner
- Flux
- Harvest
- iTerm
- MindNode Pro
- Sequel Pro
- Sketch
- TogglDesktop
- uTorrent
- VLC
ClamXav
ClamXav
MyHarmony
StuffIt Expander
TeamViewer
TurboTax Premier 2015
Utilities
uTorrent
VLC
HWMonitor - http://www.bresink.com/osx/HardwareMonitor.html
NameChanger - https://mrrsoftware.com/namechanger/
Smaller - http://25.io/smaller/
Snapz Pro X - http://www.ambrosiasw.com/utilities/snapzprox/
The Hit List - http://www.karelia.com/products/the-hit-list/mac.html
The ones I didn't find in previous posts:
CopyPaste Pro
GrandTotal
Instashare
Logiblock IDE
QuickRes
SubEthaEdit
Subler
AudialHub
Awaken
CSSEdit
PhotoSync
Pixelmator
VectorDesigner
VisualHub
WriteRoom
iToner
I have to add the following apps (didn't find in previous posts):
- owncloud
- audio splitter
Aurora HDR Pro
DetectX
Disc Cover 3 RE
DiskCatalogMaker
dreamboxEDIT
DriveDx
Espionage
Exhibeo
Focus CK (Creative Kit 2016 MacPhun)
Freeway Express
Freeway Pro
FX Photo Studio CK (Creative Kit 2016 MacPhun)
Hazel.prefPane
Intensify CK (Creative Kit 2016 MacPhun)
IPNetMonitorX
JavaAppletPlugin.plugin
LaunchControl
Lytro Desktop
Mac2Tivo (Part of Toast Titanium 11)
MailActOn.mailbundle
MailTags.mailbundle
Mail Perspectives.mailbundle
Markly
moneyGuru
Noiseless CK (Creative Kit 2016 MacPhun)
Recovery Partition Creator 3.8
Sidekick
Snapheal CK (Creative Kit 2016 MacPhun)
Tembo
TiVo Transfer (Part of Toast Titanium 11)
TmpDisk
Tonality CK (Creative Kit 2016 MacPhun)
Translate!It
UninstallPKG
VOX
VPN Tracker 9
Wondershare PDF Editor
Yosemite Tester
ChitChat https://github.com/stonesam92/ChitChat
Hudl Mercury http://public.hudl.com/support/getting-video-online/mercury-for-mac/getting-started-with-mercury-for-mac/
Imposition Wizard https://pressnostress.com/iw/
Merlin Project http://projectwizards.net/en/products/merlin-project/what-is
Toast 12 Titanium http://www.roxio.com/enu/products/toast/titanium/
/Applications/CleanMyMac 2.app/Contents/Frameworks/Sparkle.framework
/Applications/DaisyDisk.app/Contents/Frameworks/Sparkle.framework
/Applications/Debookee.app/Contents/Frameworks/Sparkle.framework
/Applications/Game Capture HD.app/Contents/Frameworks/Sparkle.framework
/Applications/Gyazo.app/Contents/Frameworks/Sparkle.framework
/Applications/iFunBox.app/Contents/Frameworks/Sparkle.framework
/Applications/OBS.app/Contents/Frameworks/Sparkle.framework
/Applications/Reflector 2.app/Contents/Frameworks/Sparkle.framework
/Applications/TeamViewer.app/Contents/Frameworks/Sparkle.framework
/Applications/Utilities/XQuartz.app/Contents/Frameworks/Sparkle.framework
/Applications/uTorrent.app/Contents/Frameworks/Sparkle.framework
/Applications/VLC.app/Contents/Frameworks/Sparkle.framework
Airy.app
Antidote 9.app
Bartender 2.app
CommandQ.app
Facebook Messenger.app
Fluid.app
Fluid.app/Contents/Resources/FluidApp.app
Google Hangout.app
HipChat.app
ImageOptim.app
Impression.app
inSSIDer.app
LightPaper.app
Loopback.app
Piezo.app
Sequel Pro.app
Sketch.app
SourceTree.app
TinyGrab.app
Wine.app
WineBottler.app
@LasseRafn : HockeyApp for Mac only uses Sparkle with HTTPS, not sure why you added it to your list.
Some more apps:
- Airfoil Speakers
- Airfoil
- Beats Updater
- Boxcryptor
- Cyberduck
- Evernote
- GPG Keychain
- HandBrake
- IPSecuritas
- iTaskX
- iTerm
- iTerm2
- KisMAC
- Sequel Pro
- SourceTree
- StuffIt Expander
- TeamViewer
- Utilities
- VLC
Wrote a more precise command that output the app and the Sparkle BundleVersion from the plist.
find /Applications -name Sparkle.framework | sed 's,/Applications/\(.*\)\.app/Resources/Info.*,\1,'|while read fname; do
appname=$(echo $fname | sed -e 's/\/Contents\/Frameworks\/Sparkle\.framework//g' | sed -e 's/\/Applications\///g')
version="$(defaults read "$fname/Resources/Info" CFBundleShortVersionString)"
echo "$appname => $version"
done
More details here:
https://hipsterpixel.co/2016/02/10/are-you-affected-by-the-sparkle-vulnerability-here-s-how-to-find-out/
Very surprised many use a 2008-2009 version of Sparkle...
@LasseRafn : HockeyApp for Mac only uses Sparkle with HTTPS, not sure why you added it to your list.
I'd just like to remind everyone that this thread is for listing all applications using Sparkle. It is NOT for listing only applications affected by the recent security vulnerability.
My list:
Adapter
Airy
Aurora HDR Pro
Coda 2
ColorStrokes
Convrt
Cyberduck
DiskMaker X
Elmedia Player
Folx
Gas Mask
GIF for Mac
GOG Downloader
GPG Keychain
Handbreak
Hear
ImageAlpha
ImageOptim
IP Broadcaster
iStumbler
Kaleidoscope
LiteIcon
MacOptimizer
MacPilot
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
Monolingual
Montage
MPlayerX
NetSpeedy
Noiseless Pro
Reflect Studio
Scrivener
SecureMailtoGenerator
Smaller
Snapheal Pro
Sound Forge Pro
Sound Siphon
Spectacle
Transmission
VLC
Wondershare Video Converter Ultimate
Wondershare Video Editor
Coda 2
Evernote
iTerm
Jumpcut
MAMP
MongoHub
Sequel Pro
TeamViewer
Tower
Transmit
@vallieres
Thank you for your extended terminal commands...
In my case, NON of my installed apps use any version newer then 1.12, despite that some of them just have been updated today or within the last 24h...
The versions go even back down to 1.5 beta or even 1.1 "No Version in Information Window" (Freeway Pro).
How can I as a user find out, if this is dangerous for the use of the apps onward?
@thotha you would need to setup a proxy and monitor outgoing connection and see if any of those seem to go to your app's servers but then again that is not a simple task. Your best bet is to contact them.
Apart from being information, why are you Sparkle guys gathering all the apps using your framework?
Using locate(1) (once its database is built) to find Sparkle.framework
in more places than just /Applications:
in /Applications (or apps in a user directory):
Adium
Air Display Host
Alarm Clock Pro
Audirvana Plus
Bartender
Bartender 2
BetterTouchTool
BibDesk
BitTorrent
Bricksmith
Camtasia 2
Chicken
ControlPlane
Cyberduck
DesignPro
DrawBerry
Elmedia Player
Eloquent
Evernote
Flux
Fraise
GPG Keychain
Geekbench 3
HandBrake
Image2Icon
Inklet
Isolator
Jumpcut
Karabiner
LaTeXiT
MDRP
MPlayer OSX Extended
OpenEmu
Paintbrush
Platypus
RealPlayer Cloud
Reflector 2
Remote Activity
SafariCacheExplorer
Senuti
Simple Comic
Snagit
StuffIt Expander
TeX Live Utility
TeXShop
Trampoline
TunesKit for Mac
UnRarX
Unison
VLC
Vox
Wallsaver
WebKit
Wine
WineBottler
Wondershare AllMyTube
XLD
XQuartz
Zoom
dff2dsf
iChm
iSkysoft iTube Studio
jfControlServer
smcFanControl
Miscellaneous bits elsewhere:
/Library/Application Support/GPGTools/GPGMail_Updater.app
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
/Library/PreferencePanes/GPGPreferences.prefPane
/Library/PreferencePanes/HyperDock.prefpane
/Library/PreferencePanes/VOX Preferences.prefPane
/Library/Services/GPGServices.service
a version of an app installed by MacPorts:
/opt/local/MacGPG2/libexec/MacGPG2_Updater.app
An app produced by WineBottler:
/Users/rlhamil/Desktop/abcAVI.app/Contents/Resources/Wine.bundle
And some leftovers from an OS update:
/Library/SystemMigration/History/Migration-AF8CBD75-2455-4B1C-A87C-296C69E2FABE/QuarantineRoot/usr/local.hold/MacGPG2/libexec/MacGPG2_Updater.app
ApiKitchen
Clip Manager 4
Clip Manager 5
Cyberduck
DaisyDisk
ImageOptim
myFMbutler Clip Manager 3
PlistEdit Pro
Reflector
StuffIt
TeamViewer
iFunbox
find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
Why is daisydisk appearing when it's downloaded from the App Store??
for a in $(ls /Applications); do defaults read "/Applications/$a/Contents/Info.plist" SUFeedURL 2>/dev/null | grep -v https >/dev/null && echo $a; done
for i in /Applications/*/Contents/Info.plist; do defaults read "$i" SUFeedURL 2>/dev/null; done
Probably because the Daisy Disk developers only use one code-base to develop the App. Then they release either an App Store version or a Non-App Store version. For the App Store version they would probably use a macro to disable the Sparkle framework.
@jbarnaby Understandable, just not comprehending why the app is considered a "culprit" from the following commands.. You know?
I legitimately purchased it so I wouldn't expect any fault. Can I manually disable sparkle frameworks? I believe an update for it was around a month ago, (from Mac App Store) definitely this year if I'm not mistaken..
edit, I just visited their website and I'm 100% positive I didn't purchase it off of there lol.
2nd edit; the app was updated on the 2nd of November 2015 -.- According to Mac App Store
It would show-up since the Info plist has the update url. If you obtained the App via the Mac App Store then the Sparkle framework is likely to be disabled anyway since including violates the App Store rules about external updating.
Anyway, this list is just for Apps that use Sparkle rather than Apps that contain the problem.
AppCleaner
BetterTouchTool
DetectX
Fitbit Connect
Fitbit Connect
Flux
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
TeamViewer
Transmit
VLC
BookMacster
iTubeDownloader
RapidWeaver 6
RealTimes
StatPlus
TextSoap
VidConvert
BTT and VLC have been patched. Update now. BTT v1.55 (470) and VLC v2.2.2
iSkysoft Video Converter
Track-o-Bot
Yahoo! Messenger
These were mentioned but I have different applicaiton names for them for some reason:
Alarm Clock
Framer
Maybe this is better as a public gist?
AppCleaner
CodeRunner
GitX
Kaleidoscope
Reveal
SimPholders2
Sketch
smcFanControl
SourceTree
Spectacle
Typora
VLC
VOX
@intechman13 So i noticed you mentioned Malwarebytes Anti-Malware being affected. When do you think it'll be safe to download again?
My additions:
iReal Pro (if not from the app store)
textWrangler (probably OK, uses https)
BitTorrent
cDock
ChitChat
Cyberduck
Evernote
HandBrake
HyperSwitch
Icons8
LiteIcon
MAMP
Snagit
SourceTree
TeamViewer
uBar
Utilities
uTorrent
VLC
Some more apps that use Sparkle:
- AnyList
- BackupLoupe
- EyeTV
- Jump Desktop
- Mountain
- NameMangler [has been patched]
- Nisus Writer Pro
- Ortelius
- QRecall 2.0 ß33
- Witch [has been patched]
ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)
I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
- CyberGhost 5
- Hard Disk Manager
- XTabulato
VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git
@intechman13
well then either I did misinterpret the following with the help of Little Snitch?
According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back.
Here some part of his statement.
"But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."
Adium
AppZapper
DaisyDisk
Dyn Updater
Evernote
GPG Keychain
Icons8 App
MAMP
owncloud
SelfControl
Spectacle
TeamViewer
TeX
TeX
TeX
TeX
Transmission
Utilities
VLC
@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."
I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.
The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!
Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie
120! on my Mac.
8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex
HoudahSpot: Advanced file search
HoudahGeo: Photo geotagging solution
Tembo: File search assistant
Recent versions use HTTPS for appcast and release notes
iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.
@domelias That's right, you can enable auto-updating once the application has been patched.
THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:
App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC
@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!
Apps That Have Claimed to Have Been Patched:
AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”
BetterTouchTool:
“Fixes the Sparkle vulnerability”
DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”
Fitbit Connect:
None
Fitbit Connect:
None
Flux:
None
Malwarebytes Anti-Malware:
None
Malwarebytes Anti-Malware:
None
TeamViewer:
None
Transmit:
None
VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”
- CocoaPacketAnalyzer (http://www.tastycocoabytes.com/cpa/)
- Frozen Synapse (http://www.frozensynapse.com/)
- Gmail Notifr (http://ashchan.com/projects/gmail-notifr)
- Gratuitous Space Battles (http://positech.co.uk/gratuitousspacebattles/)
- Mashduo (http://mashduo.com/)
- MenuEverywhere (http://www.binarybakery.com/aprod/menueverywhere.html)
- MultiFirefox (https://github.com/themartorana/MultiFirefox)
- Numi (https://itunes.apple.com/gb/app/numi/id484388250?mt=12)
- PixelPeeper (http://www.irradiatedsoftware.com/labs/)
- Pixen (http://www.pixenapp.com/)
- Querious (http://www.araelium.com/querious/)
- Remember (http://lightheadsw.com/remember/)
- SIDPLAY (http://www.sidmusic.org/sidplay/mac/)
- Spacey (http://most-advantageous.com/spacey/)
- SynalizeIt (https://www.synalysis.net/)
- Telling Folders (http://www.omz-software.com/stuff/)
- VLCStreamer (http://hobbyistsoftware.com/vlcstreamer)
- Zooom/2 (http://www.coderage-software.com/zooom/index.html)
My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides
all current versions use https for updating
I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.
5KPlayer - http://www.5kplayer.com
Software - https://software.com/mac/
StuffIt Destinations - http://my.smithmicro.com/stuffit-deluxe-mac.html
Window Tidy - http://www.lightpillar.com/window-tidy.html
Zenmate VPN - https://zenmate.com
@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.
I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'
Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc
If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.
Any updates on..?
.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse
Thanks in advance!
Not obviously vulnerable (current stable version only)
- Adium
- BibDesk
- Boxer
- Bartender 2
- Bodega (abandoned, still useful for Sparkle version update detection)
- Boxcar
- ClipMenu (abandoned? open-source)
- coconutBattery
- Cyberduck
- Dash
- Expandrive
- Flux
- GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
- Hands Off!
- Handbrake
- iFunBox
- iTerm 2
- TechSmith Jing
- Jitsi
- Karabiner
- LaTeXiT
- Lingon X
- Mou (abandoned?)
- Pacifist
- Reveal
- Seil
- Shady (abandoned? and open-source)
- SourceTree
- TeX Live Utility
- TeXShop
- Toast Titanium
- TotalFinder
- Transmission
- Transmit
- VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
- VLC Setup (not VLC)
- XQuartz
Could be vulnerable / unreachable appcast
- Breakaway (abandoned? and open-source)
- Kismac NG (abandoned?)
- UnRarX (abandoned?)
Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).
@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.
Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.
Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.
Edit: thanks for your suggestions! We've got a long list!
Here's my list: