Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Applications using Sparkle #717

Closed
kornelski opened this issue Jan 20, 2016 · 150 comments
Closed

Applications using Sparkle #717

kornelski opened this issue Jan 20, 2016 · 150 comments

Comments

@kornelski
Copy link
Member

Edit: this issue has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.

Sparkle website lists some Mac apps that use the framework, but this list has been compiled a while ago.

Edit: thanks for your suggestions! We've got a long list!

Here's my list:

  • Acorn
  • Adium
  • Bittorrent Sync
  • Carbon Copy Cloner
  • Cinch
  • Colloquy
  • Evernote
  • Fantastical
  • Fitbit Connect
  • Flux
  • Handbrake
  • iTerm
  • Karabiner
  • Sequel Pro
  • Sidestep
  • Slack
  • Transmission
  • Twitterrific
  • Vienna
  • Vivaldi
  • VLC
  • WebKit Nightly
  • Wine
@balthisar
Copy link

@kevinboo
Copy link

@zorgiepoo
Copy link
Member

@jakepetroules
Copy link
Contributor

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk -F'.' '{print $1}'
  • Colloquy
  • Cyberduck
  • Dashlane
  • Fabric
  • Gitter
  • Goofy
  • ImageOptim
  • Messenger
  • Mou
  • Quicken 2016
  • Slack
  • SourceTree
  • TeamViewer
  • UnicodeChecker
  • XQuartz
  • VLC

@w0lfschild
Copy link

AirParrot 2
AppCleaner
Bartender 2
CodeKit
DaisyDisk
DockMod
FinderPath
GridMount
Image2Icon
LiteIcon
Platypus
Reflector 2
Übersicht
XLD

@nlap
Copy link

nlap commented Jan 29, 2016

AccountEdge Pro
AirServer
Bartender
BetterTouchTool
Billings
Boxer
Cakebrew
Capo
coconutBattery
Coda 2
ColorMunki Display
Cornerstone
CrossOver
Disk Drill
djay
duet
Go2Shell
GPG Keychain
HandBrake
HoudahSpot
Intensify Pro
MacDown
MAMP
Money
Monodraw
Notational Velocity
Paw
PhoneView
Sketch
TexShop
UnRarX

@mikemcc
Copy link

mikemcc commented Jan 29, 2016

DiskMaker X
Fluid
Mailplane 3
uTorrent

@mmlac-bv
Copy link

0 Adium.app
1 Cyberduck.app
2 Dash.app
3 Doit.im.app
4 Evernote.app
5 HipChat.app
6 iTerm.app
7 Karabiner.app
8 Merlin.app
9 Mixed In Key 6.app
10 Screenhero.app
11 Seil.app
12 SizeUp.app
13 Sublime Text 2.app
14 TeamViewer.app
15 VLC.app

@DomT4
Copy link

DomT4 commented Jan 29, 2016

Ones not mentioned already:

  • Dash
  • DS_Store Cleaner
  • KeepingYouAwake
  • Keka
  • Malwarebytes Anti-Malware
  • Pacifist
  • Skim

@Miguel-Alonso
Copy link

More apps:

Bitcasa
iChm
Keka
Last.fm
Paperless
RescueTime

@tergen
Copy link

tergen commented Jan 29, 2016

More:

Marked 2
nvALT
TeX Live Utility

@xhacker
Copy link
Contributor

xhacker commented Jan 29, 2016

  • Inboard
  • Arq
  • Texpad
  • Pomotodo

@jkbullard
Copy link
Contributor

Um, so an application using Sparkle is an Issue? Why?

I understand that some applications that use Sparkle use it insecurely, but not all do. Tunnelblick, for example, uses https: for all Sparkle traffic.

@zorgiepoo
Copy link
Member

@jkbullard No, you're right. Also, this thread is not related to the recent vulnerability

@spickermann
Copy link

@ymhuang0808
Copy link

@Xaositek
Copy link

  • AppZapper
  • BetterTouchTool
  • Coda 2
  • Colloquy
  • duet
  • Flux
  • HandBrake
  • iTerm
  • OpenEmu
  • Sequel Pro
  • Transmission
  • VLC

@vitu
Copy link
Contributor

vitu commented Jan 30, 2016

Not yet mentioned:

  • A Better Finder Attributes
  • A Better Finder Rename
  • Alfred
  • BetterZip
  • Big Mean Folder Machine
  • Clarify
  • CleanMyMac (update framework based on Sparkle)
  • Cookie
  • JavaApplet (/Library/Internet Plugin-Ins)
  • GPG Suite
  • iMazing (update framework based on Sparkle)
  • Localization Suite (Localization Manager + Localization Dictionary + Localizer)
  • Mactracker
  • Moom
  • MplayerX
  • NetSpeedy
  • PhotoBulk
  • Piezo
  • Posterizo
  • PowerPhotos
  • Radar
  • WordCounter
  • XliffViewer

@nootrope
Copy link

Not mentioned as of this writing:

@pejacoby
Copy link

CD Spin Doctor (from Toast Titanium 10 app collection)
DynDNSUpdater
Coconut ID
Geekbench
Impactor
IPNetMonitor X
iStumbler
KisMAC
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware Service.xpc
NetSpot
OpenDNS Updater 3.0
PwnageTool
Quicken 2007

is anyone building a list of apps that use HTTP vs HTTPS, related to the MITM vulnerability?

@davedittrich
Copy link

Adium.app
BibDesk.app
Chicken.app
CoRD.app
Dragon Dictate.app
GitX.app
Gizmo5.app
GraphicConverter.app
HandBrake.app
iExplorer.app
Monolingual.app
PwnageTool-3.1.5.app
PwnageTool-4.2.app
RecBoot.app
rooSwitch.app
SIP Communicator.app
Song Surgeon 4.app
StuffIt 12
TeXShop.app
Timeline 3D.app
Transmission.app
Viscosity.app
~

@sindarina
Copy link

Divvy
MDRP (Mac DVDRipper Pro)
Simon
Things
VoodooPad

@gaige
Copy link

gaige commented Feb 1, 2016

Cartographica

@AVNSnax
Copy link

AVNSnax commented Feb 2, 2016

HandBrakeBatch
Lyve
MacPilot
MyHarmony
PaintCode 2
TurboTax 2012-2015, at least
Versions
VideoMonkey

@andrewvalentine
Copy link

@Dejal
Copy link

Dejal commented Feb 3, 2016

@laurentnguyen
Copy link

  • AppDelete
  • duet
  • Flux
  • KeepingYouAwake
  • RightFont
  • SizeUp
  • Sketch
  • uTorrent
  • VLC

@ghost
Copy link

ghost commented Feb 12, 2016

@thotha I am currently unaware of Little Snitch. I am just repeating what the VLC 2.2.2 release notes claimed: "
It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules."

@thotha
Copy link

thotha commented Feb 12, 2016

I hope the following information is helpful for concerned users here and elsewhere who are about the MITM bug in Sparkle framework.
All developers I did contact yet say that the MITM bug is only related to the automatic update feature. Turning that off and do only manual updates of the applications is save.

The following example can be used for applications which do not have a setting to turn off automatic backup! If such a setting does exists it is preferred to use that setting instead!

Here some feedback from the developer of LaunchControl and BackupLoop Robby Phälig.
"If you are concerned about MITM attacks I suggest you disable automatic updates for the time being.
An Example for BackupLoupe:
If you want to disable automatic update checking for BackupLoupe open Terminal.app and enter:
defaults write com.soma-zone.BackupLoupe SUEnableAutomaticChecks -bool false
This works for any application which relies on Sparkle.framework. Just replace "com.soma-zone.BackupLoupe" with the proper bundle identifier. You can find an applications bundle identifier by entering:
defaults read <APP>/Contents/Info.plist CFBundleIdentifier
You have to replace <APP> by the complete path to the application bundle. An Example for BackupLoupe:
defaults read /Applications/Utilities/BackupLoupe.app/Contents/Info.plist CFBundleIdentifie

@gingerbeardman
Copy link

120! on my Mac.

8-Bitty Controller for OSX
A Better Finder Rename 10
Acorn
Adapter
Airfoil
Airfoil Speakers
Airfoil Video Player
AirServer
AppCleaner
AppViz
Audio Hijack
Bartender 2
BetterZip
Boxer
Carousel
Chatology
ChitChat
Chocolat
CloudApp
Cocktail
coconutBattery
CodeKit
Colloquy
ControllerMate
ControllerMate
Core Data Editor
CrossOver
Crunch
Dash
Desktop Curtain
Drive Genius 3
Enjoy2
Evom
Exhaust
Feeder
Feeder 3
Final Vinyl
Flashlight
Flux
fseventer
Get iPlayer Automator
Gitbox
Glyphs
HandBrake
iExplorer
iFunBox
ImageAlpha
ImageOptim
Infinit
iPhone Backup Extractor
iStumbler
iSubtitle
iTools
JPEGmini Pro
Keka
LevelHelper
LineIn
LiquidCD
Loop Editor
MDRP
MediaInfo Mac
MetaZ
Minbox
Miro Video Converter
Mou
MPEG2 Works 4
MPlayerX
MTR 5
Name Mangler
NameChanger
Notational Velocity
Noun Project
OpenEmu
Pacifist
PhoneView
PhysicsEditor
Piezo
Platypus
PlistEdit Pro
Plug
Radium
Retrode Utility
RipIt
RoadMovie
RoboFont
S3Hub
ScreenFlow
ScreenSharingMenulet
Sequel Pro
Simple Comic
Simul80
Sketch
Sketch Toolbox
Sound Studio
Stay
Subler
Submerge
Tagger
TeamViewer
TechTool Pro 8
TexturePacker
Transmission
Transmit
UnRarX
VelOCRaptor
VideoMonkey
VideoSpec
Vienna
VisualHub
VLC
Witgui
Wondershare Video Converter Ultimate
xACT
XLD
XQuartz
xScope
Xslimmer
Yarg
Yate
Zwoptex

@gloubibou
Copy link

HoudahSpot: Advanced file search
HoudahGeo: Photo geotagging solution
Tembo: File search assistant

Recent versions use HTTPS for appcast and release notes

@ghost
Copy link

ghost commented Feb 13, 2016

I am adding PowerPhotos to the list.

@ChadTaljaardt
Copy link

CloudApp
CyberGhost 5
Debookee
Flux
TeamViewer
uTorrent
VLC

@domelias
Copy link

iReal Pro's tech support checked with the developers: The newest version, from this week, (iReal Pro 7.0) uses the newest version of Sparkle and is thus save to auto update.

@ghost
Copy link

ghost commented Feb 13, 2016

@domelias That's right, you can enable auto-updating once the application has been patched.

@ghost
Copy link

ghost commented Feb 13, 2016

THESE APPLICATIONS HAVE BEEN OFFICIALLY PATCHED:

App Cleaner
BetterTouchTool
DetectX
PowerPhotos
VLC

@ghost
Copy link

ghost commented Feb 14, 2016

@thotha I have tested the claims of VLC being patched and have realized that VLC still uses an HTTP connection in v2.2.2 and is therefore still unsafe. VLC is STILL vulnerable!

@ghost
Copy link

ghost commented Feb 14, 2016

Apps That Have Claimed to Have Been Patched:

AppCleaner:
“Updated Sparkle (the in-app updater) to fix a security issue.”

BetterTouchTool:
“Fixes the Sparkle vulnerability”

DetectX:
“Improved: Sparkle security check can now be turned on and off in the Preferences Pane; default is 'Off'.”

Fitbit Connect:
None

Fitbit Connect:
None

Flux:
None

Malwarebytes Anti-Malware:
None

Malwarebytes Anti-Malware:
None

TeamViewer:
None

Transmit:
None

VLC:
“It fixes numerous security issues, notably in the MP4, RealRtsp and Sparkle modules, but also important crashes for the MXF, ADPCM, Telextext, Skins and Qt modules.”

@sweetppro
Copy link

My apps which use Sparkle:
Cookie 5
Cookie
WiFiSpoof
Invisible
Privatus
eMail Address Extractor
Hides

all current versions use https for updating

@lemkesoft
Copy link

I updated GraphicConverter 9 and CADintosh today.
Both use now the latest Sparkle and https.

@TraderStf
Copy link

@TraderStf
Copy link

@jakepetroules thanks for the terminal command. I always have 'Malwarebytes Anti-Malware' twice.
I have checked, only one app.

I found why with the cmd:
find /Applications -name Sparkle.framework | awk -F'/' '{print $(NF-3)}'

Malwarebytes Anti-Malware.app
Malwarebytes Anti-Malware Service.xpc

@TraderStf
Copy link

If you don't like to use Terminal, DetectX version 2.14 and above lists the apps using Sparkle with/out https.
Preferences, checkmark, run, bottom of window, drag it down to see the black drawer.

@ghost
Copy link

ghost commented Feb 20, 2016

Thank you @TraderStf that was very helpful.

@Kosmic-Halo
Copy link

Any updates on..?

.Knock
.Malwarebytes
.TunnelBear
.SmoothMouse

Thanks in advance!

@Kosmic-Halo
Copy link

How about the apps Arthur, Viscosity, ClipMenu?

@skull-squadron
Copy link

Not obviously vulnerable (current stable version only)

  • Adium
  • BibDesk
  • Boxer
  • Bartender 2
  • Bodega (abandoned, still useful for Sparkle version update detection)
  • Boxcar
  • ClipMenu (abandoned? open-source)
  • coconutBattery
  • Cyberduck
  • Dash
  • Expandrive
  • Flux
  • GPGTools Suite (GPG Keychain, GPGPreference, GPGMail_Updater, MacGPG2_Update, etc.)
  • Hands Off!
  • Handbrake
  • iFunBox
  • iTerm 2
  • TechSmith Jing
  • Jitsi
  • Karabiner
  • LaTeXiT
  • Lingon X
  • Mou (abandoned?)
  • Pacifist
  • Reveal
  • Seil
  • Shady (abandoned? and open-source)
  • SourceTree
  • TeX Live Utility
  • TeXShop
  • Toast Titanium
  • TotalFinder
  • Transmission
  • Transmit
  • VLC (Sparkle framework updated, appcast uses http:// but downloads are signed)
  • VLC Setup (not VLC)
  • XQuartz

Could be vulnerable / unreachable appcast

  • Breakaway (abandoned? and open-source)
  • Kismac NG (abandoned?)
  • UnRarX (abandoned?)

@simonkramer
Copy link

Sparkle for the MacOS Application TeXShop has the subobtimal habit of accumulating what to appear old versions of TeXShop in a folder /Users/username/Library/Application Support/TeXShop/.Sparkle (where "username" is a placeholder). In my case, these (40!) old versions unnecessarily occupy a total of ~3.5GB. IMHO, this state of affairs should be optimised (at most 3 old versions should be kept).

@kornelski
Copy link
Member Author

@simonkramer The accumulation of copies in application support has been fixed a while ago. It'll stop happening when the app updates to the current version of Sparkle.

@ghost
Copy link

ghost commented Jun 15, 2016

@Kosmic-Halo Malwarebytes v1.2.4.584 has been patched!!!!!

@xor-gate
Copy link

xor-gate commented Aug 5, 2022

The syncthing-macos project uses Sparkle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests