Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Bill Cheeseman <email@hidden>
- Date: Fri, 12 Feb 2016 09:06:50 -0500
| Intuit's Quicken for Mac 2016 was updated yesterday to version 3.0.5 with this explanation: "Enhanced the security of the Software Update window (shown when an update is available)." Yet our scripts show that the new version is still using Sparkle 1.8.0 and HTTP. I assume Intuit applied a Sparkle patch. If so, this illustrates the difficulty of determining which applications are really still problematic.
This is why I designed my script to list all Sparkle-using applications in a chosen folder and to report their Sparkle version and HTTP/HTTPS usage. I don't want to tell users that an application like Quicken is vulnerable when it presumably now isn't. Just give the user all relevant and available information, and let them do what they think appropriate to deal with it.
Quicken for Mac 2016 requires OS X v10.10 Yosemite or newer, so they should have been able to update to Sparkle 1.13.1. I wonder why they chose not to do that. For that matter, I wonder why so many Sparkle-using applications that don't require Snow Leopard are still using much older versions of Sparkle.
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden