Closed kornelski closed 2 years ago
@rlhamil I purchased it through Mac App Store though?
Probably because the Daisy Disk developers only use one code-base to develop the App. Then they release either an App Store version or a Non-App Store version. For the App Store version they would probably use a macro to disable the Sparkle framework.
@jbarnaby Understandable, just not comprehending why the app is considered a "culprit" from the following commands.. You know?
I legitimately purchased it so I wouldn't expect any fault. Can I manually disable sparkle frameworks? I believe an update for it was around a month ago, (from Mac App Store) definitely this year if I'm not mistaken..
edit, I just visited their website and I'm 100% positive I didn't purchase it off of there lol.
2nd edit; the app was updated on the 2nd of November 2015 -.- According to Mac App Store
It would show-up since the Info plist has the update url. If you obtained the App via the Mac App Store then the Sparkle framework is likely to be disabled anyway since including violates the App Store rules about external updating.
Anyway, this list is just for Apps that use Sparkle rather than Apps that contain the problem.
Versatil Markdown (and has been updated to use https, v1.1.4)
AppCleaner BetterTouchTool DetectX Fitbit Connect Fitbit Connect Flux Malwarebytes Anti-Malware Malwarebytes Anti-Malware TeamViewer Transmit VLC
BookMacster iTubeDownloader RapidWeaver 6 RealTimes StatPlus TextSoap VidConvert
BTT and VLC have been patched. Update now. BTT v1.55 (470) and VLC v2.2.2
iSkysoft Video Converter Track-o-Bot Yahoo! Messenger
These were mentioned but I have different applicaiton names for them for some reason: Alarm Clock Framer
Maybe this is better as a public gist?
AppCleaner CodeRunner GitX Kaleidoscope Reveal SimPholders2 Sketch smcFanControl SourceTree Spectacle Typora VLC VOX
@intechman13 So i noticed you mentioned Malwarebytes Anti-Malware being affected. When do you think it'll be safe to download again?
@EdenSG I noticed you mentioned TunnelBear, but it uses https?
My additions:
iReal Pro (if not from the app store) textWrangler (probably OK, uses https)
BitTorrent cDock ChitChat Cyberduck Evernote HandBrake HyperSwitch Icons8 LiteIcon MAMP Snagit SourceTree TeamViewer uBar Utilities uTorrent VLC
Some more apps that use Sparkle:
@Kosmic-Halo I will let you know when it is patched here: https://github.com/sparkle-project/Sparkle/issues/743
ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)
I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git
VLC 2.2.2 release notes claimed to have patched the issue
@intechman13 well then either I did misinterpret the following with the help of Little Snitch?
According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back. Here some part of his statement. "But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."
Adium AppZapper DaisyDisk Dyn Updater
GPG Keychain Icons8 App
SelfControl Spectacle
TeX TeX TeX TeX
Utilities VLC
@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: " It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."
I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework. All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.
Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP>
by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie
120! on my Mac.
8-Bitty Controller for OSX A Better Finder Rename 10 Acorn Adapter Airfoil Airfoil Speakers Airfoil Video Player AirServer AppCleaner AppViz Audio Hijack Bartender 2 BetterZip Boxer Carousel Chatology ChitChat Chocolat CloudApp Cocktail coconutBattery CodeKit Colloquy ControllerMate ControllerMate Core Data Editor CrossOver Crunch Dash Desktop Curtain Drive Genius 3 Enjoy2 Evom Exhaust Feeder Feeder 3 Final Vinyl Flashlight Flux fseventer Get iPlayer Automator Gitbox Glyphs HandBrake iExplorer iFunBox ImageAlpha ImageOptim Infinit iPhone Backup Extractor iStumbler iSubtitle iTools JPEGmini Pro Keka LevelHelper LineIn LiquidCD Loop Editor MDRP MediaInfo Mac MetaZ Minbox Miro Video Converter Mou MPEG2 Works 4 MPlayerX MTR 5 Name Mangler NameChanger Notational Velocity Noun Project OpenEmu Pacifist PhoneView PhysicsEditor Piezo Platypus PlistEdit Pro Plug Radium Retrode Utility RipIt RoadMovie RoboFont S3Hub ScreenFlow ScreenSharingMenulet Sequel Pro Simple Comic Simul80 Sketch Sketch Toolbox Sound Studio Stay Subler Submerge Tagger TeamViewer TechTool Pro 8 TexturePacker Transmission Transmit UnRarX VelOCRaptor VideoMonkey VideoSpec Vienna VisualHub VLC Witgui Wondershare Video Converter Ultimate xACT XLD XQuartz xScope Xslimmer Yarg Yate Zwoptex
HoudahSpot: Advanced file search HoudahGeo: Photo geotagging solution Tembo: File search assistant
Recent versions use HTTPS for appcast and release notes
I am adding PowerPhotos to the list.
CloudApp CyberGhost 5 Debookee Flux TeamViewer uTorrent VLC
iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.
@domelias That's right, you can enable auto-updating once the application has been patched.
THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:
App Cleaner BetterTouchTool DetectX PowerPhotos VLC
@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!
Apps That Have Claimed to Have Been Patched:
AppCleaner: “Updated Sparkle (the in-app updater) to fix a security issue.”
BetterTouchTool: “Fixes the Sparkle vulnerability”
DetectX: “Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”
Fitbit Connect: None
Fitbit Connect: None
Flux: None
Malwarebytes Anti-Malware: None
Malwarebytes Anti-Malware: None
TeamViewer: None
Transmit: None
VLC: “It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”
My apps which use Sparkle: Cookie 5 Cookie WiFiSpoof Invisible Privatus eMail Address Extractor Hides
all current versions use https for updating
I updated GraphicConverter 9 and CADintosh today. Both use now the latest Sparkle and https.
5KPlayer - http://www.5kplayer.com Software - https://software.com/mac/ StuffIt Destinations - http://my.smithmicro.com/stuffit-deluxe-mac.html Window Tidy - http://www.lightpillar.com/window-tidy.html Zenmate VPN - https://zenmate.com
@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice. I have checked, only one app.
I found why with the cmd: find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'
Malwarebytes Anti-Malware.app Malwarebytes Anti-Malware Service.xpc
If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https. Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.
Thank you @TraderStf that was very helpful.
Any updates on..?
.Knock .Malwarebytes .TunnelBear .SmoothMouse
Thanks in advance!
How about the apps Arthur, Viscosity, ClipMenu?
Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).
@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.
@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!
The syncthing-macos project uses Sparkle
Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.
Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.
Edit: thanks for your suggestions! We've got a long list!
Here's my list: