Hello. Been reading about the security vulnerability affecting apps that use Sparkle for automatic updating. I do not see any adjustable settings to activate or disable auto-updating in preferences for The Unarchiver. Is there such a preference setting, or is there a simple way to check it and change it if necessary. OR perhaps more simply, do you have any plans to issue an update that addresses the Sparkle vulnerability? Thanks in advance for any assistance/information you can provide.
I'll fix it in the next version, but the vulnerability seems difficult enough to exploit that I don't think there is an urgent need for a fix.
OK, thanks. Having now had a chance to read more details, it does sound like perhaps this vulnerability might have had its severity exaggerated at first. On its own, auto-updating is obviously both a convenience and a reassurance. The only odd thing is that some apps do not include a preference setting to let the user choose whether to activate auto-updating.
This attack has been weaponized and is in the wild. <https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability/>.
Apologies, I broke that link. Here it is:
It still requires you to actually get MITM'd first, which is not that easy to achieve. And if you are, there are plenty of other attacks you might be exposed to.