sparkle-project / Sparkle

A software update framework for macOS
https://sparkle-project.org
Other
7.44k stars 1.05k forks source link

Applications using Sparkle #717

Closed kornelski closed 2 years ago

kornelski commented 8 years ago

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

Kosmic-Halo commented 8 years ago

@rlhamil I purchased it through Mac App Store though?

jbarnaby commented 8 years ago

Probably because the Daisy Disk developers only use one code-base to develop the App. Then they release either an App Store version or a Non-App Store version. For the App Store version they would probably use a macro to disable the Sparkle framework.

Kosmic-Halo commented 8 years ago

@jbarnaby Understandable, just not comprehending why the app is considered a "culprit" from the following commands.. You know?

I legitimately purchased it so I wouldn't expect any fault. Can I manually disable sparkle frameworks? I believe an update for it was around a month ago, (from Mac App Store) definitely this year if I'm not mistaken..

edit, I just visited their website and I'm 100% positive I didn't purchase it off of there lol.

2nd edit; the app was updated on the 2nd of November 2015 -.- According to Mac App Store

jbarnaby commented 8 years ago

It would show-up since the Info plist has the update url. If you obtained the App via the Mac App Store then the Sparkle framework is likely to be disabled anyway since including violates the App Store rules about external updating.

Anyway, this list is just for Apps that use Sparkle rather than Apps that contain the problem.

digitalmoksha commented 8 years ago

Versatil Markdown (and has been updated to use https, v1.1.4)

ghost commented 8 years ago

AppCleaner BetterTouchTool DetectX Fitbit Connect Fitbit Connect Flux Malwarebytes Anti-Malware Malwarebytes Anti-Malware TeamViewer Transmit VLC

jimkessler commented 8 years ago

BookMacster iTubeDownloader RapidWeaver 6 RealTimes StatPlus TextSoap VidConvert

ctash commented 8 years ago

Dash has been patched as of v3.2.2 (192)

ghost commented 8 years ago

BTT and VLC have been patched. Update now. BTT v1.55 (470) and VLC v2.2.2

dyspop commented 8 years ago

iSkysoft Video Converter Track-o-Bot Yahoo! Messenger

These were mentioned but I have different applicaiton names for them for some reason: Alarm Clock Framer

Maybe this is better as a public gist?

urmyfaith commented 8 years ago

AppCleaner CodeRunner GitX Kaleidoscope Reveal SimPholders2 Sketch smcFanControl SourceTree Spectacle Typora VLC VOX

Kosmic-Halo commented 8 years ago

@intechman13 So i noticed you mentioned Malwarebytes Anti-Malware being affected. When do you think it'll be safe to download again?

Kosmic-Halo commented 8 years ago

@EdenSG I noticed you mentioned TunnelBear, but it uses https?

domelias commented 8 years ago

My additions:

iReal Pro (if not from the app store) textWrangler (probably OK, uses https)

xtensions commented 8 years ago

BitTorrent cDock ChitChat Cyberduck Evernote HandBrake HyperSwitch Icons8 LiteIcon MAMP Snagit SourceTree TeamViewer uBar Utilities uTorrent VLC

erikmh commented 8 years ago

Some more apps that use Sparkle:

ghost commented 8 years ago

@Kosmic-Halo I will let you know when it is patched here: https://github.com/sparkle-project/Sparkle/issues/743

thotha commented 8 years ago

ASObjC Runner-N 1.9.15 (latest version for OS up to 10.9. Newer OS do not need it anymore as it is implemented into the newer OS through AppleScriptObjC-based libraries) => 1.5 Beta (git)

lNobodyl commented 8 years ago

I used this command: sudo find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'

thotha commented 8 years ago

VLC Version 2.2.2 Weatherwax (Intel 64bit) does still use HTTP instead of HTTPS => 1.6 git

ghost commented 8 years ago

VLC 2.2.2 release notes claimed to have patched the issue

thotha commented 8 years ago

@intechman13 well then either I did misinterpret the following with the help of Little Snitch?

bildschirmfoto 2016-02-12 um 13 09 47

thotha commented 8 years ago

According moneyGuru 2.9.4, Virgil Dupras, the developer, did write me back. Here some part of his statement. "But even though Sparkle downloads its updates through HTTP, it checks the signature (a cryptographic signature, not just a hash. the public key used for that signature is in the moneyGuru package itself. the private key is, of course, in my hands, secret) of the downloaded package. It will not install anything if the signature isn't valid."

danieldizzy commented 8 years ago

Adium AppZapper DaisyDisk Dyn Updater

Evernote

GPG Keychain Icons8 App

MAMP

owncloud

SelfControl Spectacle

TeamViewer

TeX TeX TeX TeX

Transmission

Utilities VLC

ghost commented 8 years ago

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: " It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

thotha commented 8 years ago

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework. All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig. "If you are concerned about MITM attacks I suggest you disable automatic updates for the time being. An Example for BackupLoupe: If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter: defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering: defaults read <APP>/Contents/Info.plist CFBundleIdentifier You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe: defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

gingerbeardman commented 8 years ago

120! on my Mac.

8-Bitty Controller for OSX A Better Finder Rename 10 Acorn Adapter Airfoil Airfoil Speakers Airfoil Video Player AirServer AppCleaner AppViz Audio Hijack Bartender 2 BetterZip Boxer Carousel Chatology ChitChat Chocolat CloudApp Cocktail coconutBattery CodeKit Colloquy ControllerMate ControllerMate Core Data Editor CrossOver Crunch Dash Desktop Curtain Drive Genius 3 Enjoy2 Evom Exhaust Feeder Feeder 3 Final Vinyl Flashlight Flux fseventer Get iPlayer Automator Gitbox Glyphs HandBrake iExplorer iFunBox ImageAlpha ImageOptim Infinit iPhone Backup Extractor iStumbler iSubtitle iTools JPEGmini Pro Keka LevelHelper LineIn LiquidCD Loop Editor MDRP MediaInfo Mac MetaZ Minbox Miro Video Converter Mou MPEG2 Works 4 MPlayerX MTR 5 Name Mangler NameChanger Notational Velocity Noun Project OpenEmu Pacifist PhoneView PhysicsEditor Piezo Platypus PlistEdit Pro Plug Radium Retrode Utility RipIt RoadMovie RoboFont S3Hub ScreenFlow ScreenSharingMenulet Sequel Pro Simple Comic Simul80 Sketch Sketch Toolbox Sound Studio Stay Subler Submerge Tagger TeamViewer TechTool Pro 8 TexturePacker Transmission Transmit UnRarX VelOCRaptor VideoMonkey VideoSpec Vienna VisualHub VLC Witgui Wondershare Video Converter Ultimate xACT XLD XQuartz xScope Xslimmer Yarg Yate Zwoptex

gloubibou commented 8 years ago

HoudahSpot: Advanced file search HoudahGeo: Photo geotagging solution Tembo: File search assistant

Recent versions use HTTPS for appcast and release notes

ghost commented 8 years ago

I am adding PowerPhotos to the list.

ChadTaljaardt commented 8 years ago

CloudApp CyberGhost 5 Debookee Flux TeamViewer uTorrent VLC

domelias commented 8 years ago

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

ghost commented 8 years ago

@domelias That's right, you can enable auto-updating once the application has been patched.

ghost commented 8 years ago

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner BetterTouchTool DetectX PowerPhotos VLC

ghost commented 8 years ago

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

ghost commented 8 years ago

Apps That Have Claimed to Have Been Patched:

AppCleaner: “Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool: “Fixes the Sparkle vulnerability”

DetectX: “Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect: None

Fitbit Connect: None

Flux: None

Malwarebytes Anti-Malware: None

Malwarebytes Anti-Malware: None

TeamViewer: None

Transmit: None

VLC: “It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

nudefireninja commented 8 years ago
sweetppro commented 8 years ago

My apps which use Sparkle: Cookie 5 Cookie WiFiSpoof Invisible Privatus eMail Address Extractor Hides

all current versions use https for updating

lemkesoft commented 8 years ago

I updated GraphicConverter 9 and CADintosh today. Both use now the latest Sparkle and https.

TraderStf commented 8 years ago

5KPlayer - http://www.5kplayer.com Software - https://software.com/mac/ StuffIt Destinations - http://my.smithmicro.com/stuffit-deluxe-mac.html Window Tidy - http://www.lightpillar.com/window-tidy.html Zenmate VPN - https://zenmate.com

TraderStf commented 8 years ago

https://www.taoeffect.com/blog/2016/02/apologies-sky-kinda-falling-protecting-yourself-from-sparklegate/

TraderStf commented 8 years ago

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice. I have checked, only one app.

I found why with the cmd: find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app Malwarebytes Anti-Malware Service.xpc

TraderStf commented 8 years ago

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https. Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

ghost commented 8 years ago

Thank you @TraderStf that was very helpful.

Kosmic-Halo commented 8 years ago

Any updates on..?

.Knock .Malwarebytes .TunnelBear .SmoothMouse

Thanks in advance!

Kosmic-Halo commented 8 years ago

How about the apps Arthur, Viscosity, ClipMenu?

skull-squadron commented 8 years ago

Not obviously vulnerable (current stable version only)

Could be vulnerable / unreachable appcast

simonkramer commented 8 years ago

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

kornelski commented 8 years ago

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

ghost commented 8 years ago

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

xor-gate commented 2 years ago

The syncthing-macos project uses Sparkle