Scrivener 2.8 still using insecure Sparkle

Hi
I just downloaded Scrivener 2.8 directly, since I had turned off automatic updates because 2.7 was using an old version of the Sparkle framework which is potentially vulnerable to hijacking as described here:

arstechnica.com/security/2016/02 … s-elusive/

Scrivener 2.8 is still using Sparkle 1.6.1 whereas the fix appeared in Sparkle 1.13.1 . It looks like at least two other people posted about this back in February and never got replies.

Could someone from L&L please clarify whether Scrivener is loading any assets via Sparkle with http rather than https?

thanks
Derick

It should be using encrypted communications at this point, that is what my tests indicate at any rate, by monitoring the raw ’net traffic Scrivener produces when checking for updates.

We’ll be using the new library when we can, but it is not compatible with older 32-bit frameworks.

@derick,
Thanks for the heads-up on this. A way you can check if an App is calling for http or https for updates is by using the following code (by SpudMuppet) that’s posted here : arstechnica.com/security/2016/02 … uote#reply : located in the comments section of the Ars article you linked to, in your OP.

The output for me then was, and now is, http for Scrivener 2.7. I haven’t updated to 2.8, yet.

EDIT : I’ve downloaded 2.8 from L&L site; uploaded to VT - scan report clean; installed; ran above mentioned cmd in terminal; output for Scrivener 2.8 is https.

Thanks for independently confirming that. And yes, I should have mentioned that since the fix is in 2.8, running the updator from 2.7 will still be insecure. Anyone concerned with using the downloader should download the DMG directly from the main product page and drag that into Applications (or wherever it is installed) over the old version of Scrivener, replacing it.

You’re welcome. Information such as this should always be readily available.

[Off-topic : Results from my searches at this forum for information haven’t exclusively pointed to your posts, but far more often than not your ‘name’ appears. Thank you for being one of my, until now, unacknowledged teachers. And, to everyone else who spends the time to share their experiences and/or solutions - Thank you, as well.]

You’re quite welcome! 8)