Auto-Update Vulnerability in Sparkle

A security vulnerability has been found in Sparkle, the framework used by many Mac applications to check for and download software updates automatically. Full details are at:

http://arstechnica.com/security/2016/02/huge-number-of-mac-apps-vulnerable-to-hijacking-and-a-fix-is-elusive/

While some of our applications (like HistoryHound) are usingĀ older versions of the Sparkle framework at the moment, they all use encrypted HTTPS connections to check for and download updates, so there’s no chance of a man-in-the-middle attack, as described in the report.

So you can safely leave automatic update checking turned on in all of our products – it’s being done safely.

– Jon

2 Responses to “Auto-Update Vulnerability in Sparkle”

  1. William K Elbring says:

    I agreed to update Default Folder X and then left my computer. When i returned, all that I saw was a request from “Autoupdate” to provide my system password. If this is legitimate, it is terrible design. I need to know the genesis of any such request. I can only infer that it is a consequence of updating Default Folder X. That’s not good enough.

    • Jon says:

      Sorry about that – this completely depends on how you have the permissions set up on your computer – I don’t have control over that. The fact that the request comes from “Autoupdate” is something I _can_ fix, of course – I’ll see what’s involved (DFX employs the Sparkle auto-update framework to do update checking and installation, as do almost all non-App Store applications, and this is the standard behavior of Sparkle).

      [Update]: I’ve found the necessary code – it’ll be called “Default Folder X Updater” in future releases. Thanks for pointing this out.

Leave a Reply