Mac Apps affected by sparkle updated that I have:

[ghost]

AppCleaner BetterTouchTool DetectX Fitbit Connect Fitbit Connect Flux Malwarebytes Anti-Malware Malwarebytes Anti-Malware TeamViewer Transmit VLC

[kornelski]

Such list are not helpful without version numbers. When the apps are fixed we don't want people to find such list somewhere and think they're still vulnerable.

I'm not sure if we should be compiling a list of vulnerable apps. We, the Sparkle team, don't have enough time to notify all of them ourselves. If we're going to have a list, we'll also need to coordinate which authors have been notified and which apps have been fixed to avoid flooding authors with unnecessary complaints.

[tbfld]

If Sparkle's maintainers won't publish such a list (with version numbers), then what steps can users take to protect themselves? How would you recommend that users go about determining which apps they have installed are or aren't secure?

[ghost]

All current versions of the apps listed above are vulnerable except for BTT and VLC

[ghost]

I would recommend if the app says that it needs an update to download the update from the website rather than sparkle.

[tbfld]

This page lists about 700 affected apps, depending on how you count — enough to cast serious doubt on the Sparkle devs' approach. I hope they'll rethink it.

[ghost]

BTT and VLC have been patched. Update now. BTT v1.55 (470) and VLC v2.2.2

[kornelski]

The vulnerability is in displaying of release notes. The update process itself is verified with digital signatures and secure, so you don't need to download apps from their websites.

[ghost]

@pornel That is true, you can just as safely manually update from the app using Sparkle however if a user knows nothing about any of this and have automatic updates turned on and they see that there is an update at launch of the app and download the update in that method, they are capable of being hijacked so it is much safer to tell everyone to just download it from the website.

[kornelski]

they see that there is an update at launch of the app and download the update in that method, they are capable of being hijacked

@intechman13 no, the whole point is that they're not. This is not how it works.

When user is notified that there's an update it's too late already. The vulnerability is in checking whether there is any update, but not in installing an update. Telling users to download updates from the website will not protect them.

[ghost]

@pornel Oops, sorry. That's what I meant. So instead of downloading of the website, what they need to do is turn off automatic updates. (I think that's right).

[ghost]

I am adding PowerPhotos to the list.

[Kosmic-Halo]

@intechman13 How do you turn off automatic updates for DaisyDisk for example?

[ghost]

@Kosmic-Halo Open DaisyDisk and go to Preferences, then uncheck Automatically check for updates

[ghost]

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner BetterTouchTool DetectX PowerPhotos VLC

[thotha]

@intechman13 About AppCleaner, have a look at my question #745.

[ghost]

@thotha I have not yet tried Little Snitch because App Cleaner said in their release notes that they fixed the Sparkle issue and locked it to an HTTPS connection. However, after seeing your post, I decided that I would test their claim with Little Snitch. Thank you for the link, very helpful.

[kornelski]

You can use this script to find vulnerable apps:

https://gist.github.com/pornel/e50af6990f9b24a130af

Please include version and try not to post duplicates.

[ghost]

Thank you @pornel I will do that

[ghost]

@thotha I think that either AppCleaner and AppDelete are two totally different apps, or you are running a different version because this was my result:

[ghost]

@pornel How would I run the script you gave me?

[ghost]

Never mind. I found one vulnerable app and it is Malwarebytes Anti-Malware v1.1.3 which uses HTTP. I will contact them immediately to release an update ( and also, @thotha , the script confirmed that AppCleaner uses a secure connection).

[ghost]

Thank you so much @pornel that was really helpful! All other apps were said to be safe if they were the latest version of the app with Malwarebytes Anti-Malware being the only exception.

[Kosmic-Halo]

@intechman13 So after checking in the DiskDaisy app, the only thing presented in the preference pane is a toggle for prompting a congrats message after cleaning is complete. Is this norm for users who downloaded the app from Mac App Store?

And is Malwarebytes Anti-Malware safe to download right now at the moment?

[ghost]

@Kosmic-Halo If you downloaded DiskDaisy off the Mac App Store then you don't need to worry about being vulnerable because the attack will only work on the version of DiskDaisy that is NOT downloaded off the Mac App Store.

As for Malwarebytes Anti-Malware, they have not yet released a patch update, so you might want to hold off on installing just yet. I will be contacting them about the issue and request an update and I will let you know when the update is available.

[ghost]

Here is what the script outputted for me:

ok: App Store 2.1 does not seem to use Sparkle ok: AppCleaner 3.3 uses HTTPS for updates - safe ok: Automator 2.6 does not seem to use Sparkle ok: BetterTouchTool 1.55 uses HTTPS for updates - safe ok: Calculator 10.8 does not seem to use Sparkle ok: Calendar 8.0 does not seem to use Sparkle ok: Canon MF Scan Utility 1.0.0 does not seem to use Sparkle ok: MF Toolbox 2.5.0 does not seem to use Sparkle ok: Chess 3.13 does not seem to use Sparkle ok: Contacts 9.0 does not seem to use Sparkle ok: DVD Player 5.8 does not seem to use Sparkle ok: Dashboard 1.8 does not seem to use Sparkle ok: DetectX 2.14 uses HTTPS for updates - safe ok: Dictionary 2.2.1 does not seem to use Sparkle ok: Dropbox 3.12.6 does not seem to use Sparkle ok: Evernote 6.4 does not use Sparkle ok: FaceTime 3.0 does not seem to use Sparkle ok: Firefox 44.0 does not seem to use Sparkle ok: Fitbit Connect 2.0.1.6757 uses HTTPS for updates - safe ok: Flux 36.6 uses HTTPS for updates - safe ok: Font Book 6.0 does not seem to use Sparkle ok: Game Center 2.0 does not seem to use Sparkle ok: GarageBand 10.1.0 does not use Sparkle ok: Geekbench 3 3.3.4 does not use Sparkle ok: Google Chrome 48.0.2564.109 does not seem to use Sparkle ok: Google Drive 1.27 does not seem to use Sparkle ok: Helium 2.0 does not use Sparkle ok: Image Capture 6.7 does not seem to use Sparkle ok: Keynote 6.6.1 does not use Sparkle ok: Kindle 1.12.4 does not use Sparkle ok: Launchpad 1.0 does not seem to use Sparkle ok: Little Snitch Configuration 3.6.3 does not seem to use Sparkle ok: Mactracker 7.5.3 does not use Sparkle ok: Mail 9.2 does not seem to use Sparkle ok: Maps 2.0 does not seem to use Sparkle ok: Messages 9.1 does not seem to use Sparkle ok: Microsoft Language Register 14.5.9 does not seem to use Sparkle ok: Microsoft Document Connection 14.5.9 does not seem to use Sparkle ok: Microsoft Excel 14.5.9 does not seem to use Sparkle ok: Microsoft Outlook 14.5.9 does not seem to use Sparkle ok: Microsoft PowerPoint 14.5.9 does not seem to use Sparkle ok: Microsoft Word 14.5.9 does not seem to use Sparkle ok: Solver 1.0 does not seem to use Sparkle ok: Equation Editor 14.2.0 does not seem to use Sparkle ok: Microsoft Alerts Daemon 14.5.9 does not seem to use Sparkle ok: Microsoft Chart Converter 14.5.9 does not seem to use Sparkle ok: Microsoft Clip Gallery 14.5.9 does not seem to use Sparkle ok: Microsoft Database Daemon 14.5.9 does not seem to use Sparkle ok: Microsoft Database Utility 14.5.9 does not seem to use Sparkle ok: Microsoft Graph 14.5.9 does not seem to use Sparkle ok: Microsoft Office Reminders 14.5.9 does not seem to use Sparkle ok: Microsoft Office Setup Assistant 14.5.9 does not seem to use Sparkle ok: Microsoft Query 12.0.0 does not seem to use Sparkle ok: Microsoft Upload Center 14.5.9 does not seem to use Sparkle ok: My Day 14.5.9 does not seem to use Sparkle ok: Office365Service 14.5.9 does not seem to use Sparkle ok: Open XML for Excel 14.5.9 does not seem to use Sparkle ok: SyncServicesAgent 14.5.9 does not seem to use Sparkle ok: Mission Control 1.2 does not seem to use Sparkle ok: Notes 4.2 does not seem to use Sparkle ok: Numbers 3.6.1 does not use Sparkle ok: OneDrive 17.3.6298 does not use Sparkle ok: OverDrive Media Console Version 1.2.0 does not seem to use Sparkle ok: Pages 5.6.1 does not use Sparkle ok: PhoneGap 0.35.0 does not seem to use Sparkle ok: Photo Booth 8.0 does not seem to use Sparkle ok: Photos 1.3 does not seem to use Sparkle ok: Preview 8.1 does not seem to use Sparkle ok: QuickTime Player 10.4 does not seem to use Sparkle ok: Reminders 3.0 does not seem to use Sparkle ok: Reset Launchpad 1.2 does not seem to use Sparkle ok: Safari 9.0.3 does not seem to use Sparkle ok: Skype 7.20 does not seem to use Sparkle ok: Spotify 1.0.21.143.g76c19bcd does not seem to use Sparkle ok: Stickies 10.0 does not seem to use Sparkle ok: System Preferences 14.0 does not seem to use Sparkle !!: TeamViewer 11.0.53254 uses unknown feed URL and an unknown version of Sparkle - unable to tell ok: TextEdit 1.11 does not seem to use Sparkle ok: Time Machine 1.3 does not seem to use Sparkle ok: Transmit 4.4.10 uses HTTPS for updates - safe ok: Activity Monitor 10.11 does not seem to use Sparkle ok: Adobe Flash Player Install Manager 20.0.0.306 does not seem to use Sparkle ok: AirPort Utility 6.3.6 does not seem to use Sparkle ok: Audio MIDI Setup 3.0.6 does not seem to use Sparkle ok: Bluetooth File Exchange 4.4.3 does not seem to use Sparkle ok: Boot Camp Assistant 6.0.1 does not seem to use Sparkle ok: ColorSync Utility 4.11.0 does not seem to use Sparkle ok: Console 10.11 does not seem to use Sparkle ok: Digital Color Meter 5.10 does not seem to use Sparkle ok: Disk Utility 15.0 does not seem to use Sparkle ok: Grab 1.8 does not seem to use Sparkle ok: Grapher 2.5 does not seem to use Sparkle ok: Keychain Access 9.0 does not seem to use Sparkle ok: Migration Assistant 10.11 does not seem to use Sparkle ok: Script Editor 2.8.1 does not seem to use Sparkle ok: System Information 10.10 does not seem to use Sparkle ok: Terminal 2.6.1 does not seem to use Sparkle ok: VoiceOver Utility 7.0 does not seem to use Sparkle ok: X11 1.0.1 does not seem to use Sparkle ok: VLC 2.2.2 has a patched version Sparkle - safe ok: Wireshark 2.0.1 does not seem to use Sparkle ok: Xcode 7.2.1 does not use Sparkle ok: Accessibility Inspector 4.1 does not seem to use Sparkle ok: Application Loader 3.4 does not seem to use Sparkle ok: FileMerge 2.8 does not seem to use Sparkle ok: Instruments 7.2.1 does not seem to use Sparkle ok: DesktopReplayer 1.0 does not seem to use Sparkle ok: Simulator (Watch) 2.1 does not seem to use Sparkle ok: Simulator 9.2 does not seem to use Sparkle ok: iBooks 1.4 does not seem to use Sparkle ok: iMovie 10.1.1 does not use Sparkle ok: iTunes 12.3.2 does not seem to use Sparkle ok: myHomework 1.0.5 does not use Sparkle ok: Microsoft AutoUpdate 3.4 does not seem to use Sparkle ok: Microsoft Error Reporting 2.2.9 does not seem to use Sparkle ok: Microsoft Ship Asserts 1.1.4 does not seem to use Sparkle ok: Cocoa-AppleScript Applet 1.0 does not seem to use Sparkle ok: Droplet with Settable Properties 1.0 does not seem to use Sparkle ok: Recursive File Processing Droplet 1.0 does not seem to use Sparkle ok: Recursive Image File Processing Droplet 1.0 does not seem to use Sparkle ok: Canon IJScanner2 4.0.0 does not seem to use Sparkle ok: Canon IJScanner4 4.0.0 does not seem to use Sparkle ok: Canon IJScanner6 4.0.0 does not seem to use Sparkle ok: Canon MFScanner1 2.5.0 does not seem to use Sparkle ok: Canon MFScanner2 2.5.0 does not seem to use Sparkle ok: Canon MFScanner3 2.5.0 does not seem to use Sparkle ok: EPSON Scanner 5.7.17 does not seem to use Sparkle ok: AirScanLegacyDiscovery 11.2 does not seem to use Sparkle ok: Canon D1100:MF6600 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon D1300:MF6700 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon D1300:MF6700.ds 2.4.0 does not seem to use Sparkle ok: Canon D400-450 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon D460-490 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon D500 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon D530:D560 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon LC600 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon LC600 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF210 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF210 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF220 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF220 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF3010 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4010 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4320-4350 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4360-4390 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4400 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4400 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4400w Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4400w Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4500 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4500 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4500w Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4500w Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4600 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4700 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4700 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4800 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF4800 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF5800 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF5900 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF5900 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF6100 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF6100 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF620C Series USB.ds 2.5.0 does not seem to use Sparkle ok: Canon MF620C Series.ds 2.5.0 does not seem to use Sparkle ok: Canon MF6700 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF6700 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF6800 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF6800 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF720C Series USB.ds 2.5.0 does not seem to use Sparkle ok: Canon MF720C Series.ds 2.5.0 does not seem to use Sparkle ok: Canon MF8000 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8000 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8000C Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8000C Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF810:820 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF810:820.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8200C Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8200C Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8300 Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8300 Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8300C Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8300C Series.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8500C Series USB.ds 2.4.0 does not seem to use Sparkle ok: Canon MF8500C Series.ds 2.4.0 does not seem to use Sparkle ok: Canon iR C1225 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon iR C1225.ds 2.4.0 does not seem to use Sparkle ok: Canon iR C1325:1335 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon iR C1325:1335.ds 2.4.0 does not seem to use Sparkle ok: Canon iR1133 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon iR1133.ds 2.4.0 does not seem to use Sparkle ok: Canon iR1435 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon iR1435.ds 2.4.0 does not seem to use Sparkle ok: Canon iR2002:2202 USB.ds 2.4.0 does not seem to use Sparkle ok: Canon iR2002:2202.ds 2.4.0 does not seem to use Sparkle ok: Little Snitch Agent 3.6.3 does not seem to use Sparkle ok: Little Snitch Network Monitor 3.6.3 does not seem to use Sparkle ok: Little Snitch Software Update 3.6.3 does not seem to use Sparkle ok: Little Snitch Uninstaller 3.6.3 does not seem to use Sparkle ok: Canon Office Printer Utility 10.8.1 does not seem to use Sparkle ok: autoSetupTool 10.8.1 does not seem to use Sparkle ok: Canon MF Scan Agent 2.5.0 does not seem to use Sparkle ok: Canon MFSU Agent 1.0.0 does not seem to use Sparkle ok: EPFaxAutoSetupTool 1.71 does not seem to use Sparkle ok: epsonfax 1.71 does not seem to use Sparkle ok: commandFilter 1.71 does not seem to use Sparkle ok: rastertoepfax 1.71 does not seem to use Sparkle ok: FAX Utility 1.71 does not seem to use Sparkle ok: Fax Receive Monitor 1.71 does not seem to use Sparkle ok: Embed does not seem to use Sparkle ok: Extract does not seem to use Sparkle ok: Match does not seem to use Sparkle ok: Proof does not seem to use Sparkle ok: Remove does not seem to use Sparkle ok: Rename does not seem to use Sparkle ok: Set Info does not seem to use Sparkle ok: Show Info does not seem to use Sparkle ok: Calculator.wdgt does not seem to use Sparkle ok: Calendar.wdgt does not seem to use Sparkle ok: Contacts.wdgt does not seem to use Sparkle ok: Dictionary.wdgt does not seem to use Sparkle ok: ESPN.wdgt does not seem to use Sparkle ok: Flight Tracker.wdgt does not seem to use Sparkle ok: Movies.wdgt does not seem to use Sparkle ok: Ski Report.wdgt does not seem to use Sparkle ok: Stickies.wdgt does not seem to use Sparkle ok: Stocks.wdgt does not seem to use Sparkle ok: Tile Game.wdgt does not seem to use Sparkle ok: Translation.wdgt does not seem to use Sparkle ok: Unit Converter.wdgt does not seem to use Sparkle ok: Weather.wdgt does not seem to use Sparkle ok: Web Clip.wdgt does not seem to use Sparkle ok: World Clock.wdgt does not seem to use Sparkle ok: Display Calibrator 4.10.0 does not seem to use Sparkle ok: AVB Audio Configuration 1.0 does not seem to use Sparkle ok: AddPrinter 11.2 does not seem to use Sparkle ok: AddressBookUrlForwarder 9.0 does not seem to use Sparkle ok: AirPlayUIAgent 2.0 does not seem to use Sparkle ok: AirPort Base Station Agent 2.2.1 does not seem to use Sparkle ok: AppDownloadLauncher 1.0 does not seem to use Sparkle ok: AppleFileServer 2.0 does not seem to use Sparkle ok: AppleGraphicsWarning 2.3.0 does not seem to use Sparkle ok: AppleScript Utility 1.1.2 does not seem to use Sparkle ok: Archive Utility 10.10 does not seem to use Sparkle ok: Directory Utility 5.0 does not seem to use Sparkle ok: Feedback Assistant 4.3.3 does not seem to use Sparkle ok: Network Utility 1.9 does not seem to use Sparkle ok: RAID Utility 4.0 does not seem to use Sparkle ok: Screen Sharing 1.7 does not seem to use Sparkle ok: System Image Utility 10.11.2 does not seem to use Sparkle ok: Wireless Diagnostics 5.1 does not seem to use Sparkle ok: Automator Runner 2.6 does not seem to use Sparkle ok: Bluetooth Setup Assistant 4.4.3 does not seem to use Sparkle ok: BluetoothUIServer 4.4.3 does not seem to use Sparkle ok: CalendarFileHandler 8.0 does not seem to use Sparkle ok: Captive Network Assistant 4.0 does not seem to use Sparkle ok: Certificate Assistant 5.0 does not seem to use Sparkle ok: CoreLocationAgent 1486.12 does not seem to use Sparkle ok: CoreServicesUIAgent 145.1 does not seem to use Sparkle ok: Database Events 1.0.6 does not seem to use Sparkle ok: DiscHelper 1.0 does not seem to use Sparkle ok: DiskImageMounter 10.11.3 does not seem to use Sparkle ok: Dock 1.8 does not seem to use Sparkle ok: EscrowSecurityAlert 1.0 does not seem to use Sparkle ok: Expansion Slot Utility 1.5.1 does not seem to use Sparkle ok: File Sync 8.1 does not seem to use Sparkle ok: FileSyncAgent 8.1 does not seem to use Sparkle ok: Finder 10.11.2 does not seem to use Sparkle ok: Folder Actions Setup 1.2 does not seem to use Sparkle ok: FolderActionsDispatcher 1.0 does not seem to use Sparkle ok: HelpViewer 5.2 does not seem to use Sparkle ok: Image Events 1.1.6 does not seem to use Sparkle ok: Install Command Line Developer Tools 1.0 does not seem to use Sparkle ok: Install in Progress 3.0 does not seem to use Sparkle ok: Installer Progress 1.0 does not seem to use Sparkle ok: Installer 6.2.0 does not seem to use Sparkle ok: Jar Launcher 15.0.1 does not seem to use Sparkle ok: Java Web Start 15.0.1 does not seem to use Sparkle ok: KeyboardSetupAssistant 10.7 does not seem to use Sparkle ok: Keychain Circle Notification 1.0 does not seem to use Sparkle ok: Language Chooser 1.0 does not seem to use Sparkle ok: LocationMenu 1.0 does not seem to use Sparkle ok: MRT 1.6 does not seem to use Sparkle ok: ManagedClient 8.1 does not seem to use Sparkle ok: Memory Slot Utility 1.5.1 does not seem to use Sparkle ok: NetAuthAgent 6.0 does not seem to use Sparkle ok: Network Diagnostics 1.4 does not seem to use Sparkle ok: Network Setup Assistant 10.8.0 does not seem to use Sparkle ok: NotificationCenter 1.0 does not seem to use Sparkle ok: OBEXAgent 4.4.3 does not seem to use Sparkle ok: ODSAgent 1.8 does not seem to use Sparkle ok: Pass Viewer 1.0 does not seem to use Sparkle ok: Photo Library Migration Utility 1.1 does not seem to use Sparkle ok: PowerChime 1.0 does not seem to use Sparkle ok: Problem Reporter 10.11 does not seem to use Sparkle ok: RegisterPluginIMApp 16 does not seem to use Sparkle ok: ARDAgent 3.8.5 does not seem to use Sparkle ok: ReportPanic 10.11 does not seem to use Sparkle ok: ScriptMonitor 1.0.1 does not seem to use Sparkle ok: SecurityFixer 10.8 does not seem to use Sparkle ok: Setup Assistant 10.10 does not seem to use Sparkle ok: ShareBear 1.0 does not seem to use Sparkle ok: SocialPushAgent 55 does not seem to use Sparkle ok: Software Update 6 does not seem to use Sparkle ok: Spotlight 1.0 does not seem to use Sparkle ok: Stocks 1.0 does not seem to use Sparkle ok: System Events 1.3.6 does not seem to use Sparkle ok: SystemUIServer 1.7 does not seem to use Sparkle ok: ThermalTrap 1.0 does not seem to use Sparkle ok: Ticket Viewer 4.0 does not seem to use Sparkle ok: UniversalAccessControl 7.0 does not seem to use Sparkle ok: UnmountAssistantAgent 5.0 does not seem to use Sparkle ok: UserNotificationCenter 3.3.0 does not seem to use Sparkle ok: VoiceOver 7.0 does not seem to use Sparkle ok: Weather 1.0 does not seem to use Sparkle ok: WiFiAgent 11.0 does not seem to use Sparkle ok: ZoomWindow 2.0 does not seem to use Sparkle ok: cloudphotosd 1.3 does not seem to use Sparkle ok: loginwindow 9.0 does not seem to use Sparkle ok: rcd 327.5 does not seem to use Sparkle ok: check_afp 4.0 does not seem to use Sparkle ok: ABAssistantService 9.0 does not seem to use Sparkle ok: AddressBookManager 9.0 does not seem to use Sparkle ok: AddressBookSourceSync 9.0 does not seem to use Sparkle ok: AddressBookSync 9.0 does not seem to use Sparkle ok: FontRegistryUIAgent 81.0 does not seem to use Sparkle ok: SpeechSynthesisServer 5.4.12 does not seem to use Sparkle ok: PrinterProxy 11.2 does not seem to use Sparkle ok: IMServicePlugInAgent 10.0 does not seem to use Sparkle ok: Widget Simulator 1.0 does not seem to use Sparkle ok: PubSubAgent 1.0.5 does not seem to use Sparkle ok: Python 2.6.9 does not seem to use Sparkle ok: Python 2.7.10 does not seem to use Sparkle ok: QuickLookUIHelper 5.0 does not seem to use Sparkle ok: quicklookd 5.0 does not seem to use Sparkle ok: quicklookd32 5.0 does not seem to use Sparkle ok: ScreenSaverEngine 5.0 does not seem to use Sparkle ok: SyncServer 8.1 does not seem to use Sparkle ok: Wish 8.4.19 does not seem to use Sparkle ok: Wish 8.5.9 does not seem to use Sparkle ok: DatabaseProcess 11601 does not seem to use Sparkle ok: WebKitPluginHost 11601 does not seem to use Sparkle ok: NetworkProcess 11601 does not seem to use Sparkle ok: PluginProcess 11601 does not seem to use Sparkle ok: WebProcess 11601 does not seem to use Sparkle ok: Build Web Page 10.1 does not seem to use Sparkle ok: MakePDF 10.1 does not seem to use Sparkle ok: AirScanScanner 11.0 does not seem to use Sparkle ok: MassStorageCamera 10.1 does not seem to use Sparkle ok: PTPCamera 10.1 does not seem to use Sparkle ok: Type4Camera 10.1 does not seem to use Sparkle ok: Type5Camera 10.1 does not seem to use Sparkle ok: Type8Camera 10.1 does not seem to use Sparkle ok: VirtualScanner 4.1 does not seem to use Sparkle ok: AutoImporter 6.7 does not seem to use Sparkle ok: Image Capture Extension 10.1 does not seem to use Sparkle ok: 50onPaletteServer 1.1.0 does not seem to use Sparkle ok: AinuIM 1.0 does not seem to use Sparkle ok: CharacterPalette 2.0.1 does not seem to use Sparkle ok: DictationIM 2.1.2 does not seem to use Sparkle ok: HindiIM 102 does not seem to use Sparkle ok: InkServer 10.9 does not seem to use Sparkle ok: JapaneseIM 6.0 does not seem to use Sparkle ok: KeyboardViewer 3.2 does not seem to use Sparkle ok: KoreanIM 6.4 does not seem to use Sparkle ok: PluginIM 16 does not seem to use Sparkle ok: PressAndHold 1.3 does not seem to use Sparkle ok: SCIM 102 does not seem to use Sparkle ok: SCIMReduced does not seem to use Sparkle ok: Switch Control 2.0 does not seem to use Sparkle ok: TCIM 102 does not seem to use Sparkle ok: TCIMReduced does not seem to use Sparkle ok: TamilIM 1.6 does not seem to use Sparkle ok: TrackpadIM 1.5 does not seem to use Sparkle ok: VietnameseIM 1.4 does not seem to use Sparkle ok: iCloudUserNotificationsd 1.0 does not seem to use Sparkle ok: AOSAlertManager 1.06 does not seem to use Sparkle ok: AOSHeartbeat 1.06 does not seem to use Sparkle ok: AOSPushRelay 1.06 does not seem to use Sparkle ok: Calibration Assistant 1.0 does not seem to use Sparkle ok: AskPermissionUI 1.0 does not seem to use Sparkle ok: iCloud Drive 1.0 does not seem to use Sparkle ok: LaterAgent 1.0 does not seem to use Sparkle ok: storeuid 1.0 does not seem to use Sparkle ok: CMFSyncAgent 10.0 does not seem to use Sparkle ok: CIMFindInputCodeTool 102 does not seem to use Sparkle ok: FollowUpUI 1.0 does not seem to use Sparkle ok: DiskImages UI Agent 10.11.3 does not seem to use Sparkle ok: eaptlstrust 13.0 does not seem to use Sparkle ok: ParentalControls 4.1 does not seem to use Sparkle ok: Family 1.0 does not seem to use Sparkle ok: FindMyMacMessenger 4.1 does not seem to use Sparkle ok: identityservicesd 10.0 does not seem to use Sparkle ok: IDSRemoteURLConnectionAgent 10.0 does not seem to use Sparkle ok: imavagent 10.0 does not seem to use Sparkle ok: imagent 10.0 does not seem to use Sparkle ok: IMTransferAgent 10.0 does not seem to use Sparkle ok: soagent 7.0 does not seem to use Sparkle ok: AppleMobileDeviceHelper 5.0 does not seem to use Sparkle ok: AppleMobileSync 5.0 does not seem to use Sparkle ok: nbagent 1.0 does not seem to use Sparkle ok: SpotlightNetHelper 1.0 does not seem to use Sparkle ok: ScreenReaderUIServer 7.0 does not seem to use Sparkle ok: VoiceOver Quickstart 7.0 does not seem to use Sparkle ok: SpeechDataInstallerd 5.2.9 does not seem to use Sparkle ok: SpeechRecognitionServer 5.2.9 does not seem to use Sparkle ok: Conflict Resolver 8.1 does not seem to use Sparkle ok: syncuid 8.1 does not seem to use Sparkle ok: universalAccessAuthWarn 1.0 does not seem to use Sparkle ok: ChineseTextConverterService 2.1 does not seem to use Sparkle ok: ImageCaptureService 6.7 does not seem to use Sparkle ok: SpeechService.service 5.4.12 does not seem to use Sparkle ok: Spotlight.service 3.0 does not seem to use Sparkle ok: SummaryService 2.0 does not seem to use Sparkle ok: Profile 1 apdfllckaahabafndbhieahigkjlhalf 14.1 does not seem to use Sparkle ok: Profile 1 blpcfgokakmgnkcojhhkbfbldkacnbeo 4.2.8 does not seem to use Sparkle ok: Profile 1 dlppkpafhbajpcmmoheippocdidnckmm 1.5.1.1209 does not seem to use Sparkle ok: Profile 1 ehcibdjmpjlekgjhepbfmenfppliikcj 1.3 does not seem to use Sparkle ok: Profile 1 fgdgokchhicmaiacmgegjnppjkgogdhm 1.6 does not seem to use Sparkle ok: Profile 1 iedpncdncgcneohjpggphlkhjofphgkf 2.0 does not seem to use Sparkle ok: Profile 1 ioekoebejdcmnlefjiknokhhafglcjdl 3.2.0 does not seem to use Sparkle ok: Profile 1 jkcieoaeooeidmpaopkpjpjfakidlabm 1.5.0 does not seem to use Sparkle ok: Profile 1 kmgohkgndpahjklgpdihieeedjeneoke 2.0 does not seem to use Sparkle ok: Profile 1 lneaknkopdijkpnocmklfnjbeapigfbh 5.4.1 does not seem to use Sparkle ok: Profile 1 pjkljhegncpnkpknbcohdijeoejaedia 8.1 does not seem to use Sparkle ok: Profile 1 apdfllckaahabafndbhieahigkjlhalf 14.1 does not seem to use Sparkle ok: Profile 1 blpcfgokakmgnkcojhhkbfbldkacnbeo 4.2.8 does not seem to use Sparkle ok: Profile 1 dlppkpafhbajpcmmoheippocdidnckmm 1.5.1.1209 does not seem to use Sparkle ok: Profile 1 ehcibdjmpjlekgjhepbfmenfppliikcj 1.3 does not seem to use Sparkle ok: Profile 1 fgdgokchhicmaiacmgegjnppjkgogdhm 1.6 does not seem to use Sparkle ok: Profile 1 iedpncdncgcneohjpggphlkhjofphgkf 2.0 does not seem to use Sparkle ok: Profile 1 ioekoebejdcmnlefjiknokhhafglcjdl 3.2.0 does not seem to use Sparkle ok: Profile 1 jkcieoaeooeidmpaopkpjpjfakidlabm 1.5.0 does not seem to use Sparkle ok: Profile 1 kmgohkgndpahjklgpdihieeedjeneoke 2.0 does not seem to use Sparkle ok: Profile 1 lneaknkopdijkpnocmklfnjbeapigfbh 5.4.1 does not seem to use Sparkle ok: Profile 1 pjkljhegncpnkpknbcohdijeoejaedia 8.1 does not seem to use Sparkle ok: Untitled 1.2 does not seem to use Sparkle ok: Canon D400-450 (UFRII LT) 11.2 does not seem to use Sparkle ok: News 1.2 does not seem to use Sparkle ok: MiniTerm 1.9 does not seem to use Sparkle

Unsafe applications found!

!!: Malwarebytes Anti-Malware 1.1.3 uses insecure feed URL 'http://data-cdn.mbamupdates.com/v1/mbam-mac/updates.xml' and an unpatched version of Sparkle (1.11.0) - it is UNSAFE

Please ask the apps' developers to update Sparkle to the secure version, as described at: https://sparkle-project.org/documentation/security

[Kosmic-Halo]

Understood @intechman13

[ghost]

Apps That Have Claimed to Have Been Patched:

AppCleaner: “Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool: “Fixes the Sparkle vulnerability”

DetectX: “Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect: None

Fitbit Connect: None

Flux: None

Malwarebytes Anti-Malware: None

Malwarebytes Anti-Malware: None

TeamViewer: None

Transmit: None

VLC: “It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

[sweetppro]

@pornel Thanks, great script. heres my own apps: ok: Cookie 5.0.3 uses HTTPS for updates - safe ok: Invisible 1.6.2 uses HTTPS for updates - safe ok: WiFiSpoof 2.2.5 uses HTTPS for updates - safe ok: eMail Address Extractor 1.9.3 uses HTTPS for updates - safe

and the unsafe ones found: !!: Gas Mask 0.8.3 uses insecure feed URL 'http://gmask.clockwise.ee/check_update/' and an unpatched version of Sparkle (313) - it is UNSAFE !!: MacSymbolicator 1.1.1 uses insecure feed URL 'http://dl.dropboxusercontent.com/u/2439981/MacSymbolicator/Sparkle/appcast.xml' and an unpatched version of Sparkle (6f24f56) - it is UNSAFE !!: Smaller 1.4 uses insecure feed URL 'http://25.io/smaller/up/updates.xml' and an unpatched version of Sparkle (313) - it is UNSAFE !!: SoundCloud Downloader 2.6.4 uses insecure feed URL 'http://black-burn.ch/applications/scd/updates.php?hwni=1' and an unpatched version of Sparkle (892c5f1) - it is UNSAFE !!: The Unarchiver 3.10.1 uses insecure feed URL 'http://unarchiver.c3.cx/updates.rss' and an unpatched version of Sparkle (1.11.0) - it is UNSAFE !!: Transmission 2.84 uses insecure feed URL 'http://update.transmissionbt.com/appcast.xml' and an unpatched version of Sparkle (337) - it is UNSAFE !!: fseventer 2.7.6 uses insecure feed URL 'http://www.fernLightning.com/appcasts/fseventer.xml' and an unpatched version of Sparkle (1.1) - it is UNSAFE

[digitalmoksha]

Versatil Markdown has been fixed

ok: Versatil Markdown 1.1.4 uses HTTPS for updates - safe

[ghost]

@Kosmic-Halo Here is what Malwarebytes said when I contacted them:

"We are aware of the issue, and are going to have an update that fixes the problem in beta shortly."

[ghost]

I ran the script in single user mode and this was the result:

[Kosmic-Halo]

Do you mind telling us what script you ran?

Sent from my iPhone

On Feb 15, 2016, at 11:30 AM, Sandesh Manik notifications@github.com wrote:

I ran the script in single user mode and this was the result:

— Reply to this email directly or view it on GitHub.

[ghost]

The script that @pornel gave me above, @Kosmic-Halo

[kornelski]

@intechman13 the script didn't seem to work correctly for you — all app versions and URLs are missing

[ghost]

That was probably because I was in single user mode

[Kosmic-Halo]

Any updates on..?

.Knock .Malwarebytes .TunnelBear .SmoothMouse

Thanks in advance!

[ghost]

@Kosmic-Halo I heard tunnelbear was fixed but not malwarebyres

[Kosmic-Halo]

How about the app Arthur?