Sparkle vulnerability and list of safe apps

Many OS X apps use Sparkle as update library.

Recently a vulnerability in the software has been discovered. Affected apps are those using a vulnerable version of Sparkle on an unencrypted HTTP connection to receive data from their update servers. Those apps are subject to man-in-the-middle attacks that could install malicious code.

You can read more about this security issue on ArsTecnica.

List of safe apps

In alphabetical order, the minimum safe versions of apps using Sparkle.

App name / Safe since / Notes

• CodeKit 1.7.1, prior releases should be unaffected
• Dash 3.2.2
• iTerm 2.1.4 and 2.9
• SourceTree 2.2
• Spectacle 1.0.2
• VLC 2.2.2

Post constantly updated as I discover new safe versions.

---

Related links

• https://github.com/sparkle-project/Sparkle/issues/717