Yes, that’s right, we’ve updated the updater in our direct apps. Our direct apps rely on Sparkle to inform you when there are new versions available. Over the weekend, we were made aware of a potential vulnerability in how we implemented Sparkle. Basically, if your network is already compromised by what’s called a Man in the Middle attack, then it’s possible an attacker could use the Sparkle update mechanism in our apps to remotely execute code on your Mac. That’s bad.
Although this is a relatively small exposure (as you must already be on a compromised network), we felt it was important to act on it right away, so we’ve updated all of our apps to use Sparkle over secure HTTP (HTTPS). Please update any directly-purchased Many Tricks apps immediately.
Important: There’s a bit of a Catch-22 here … in order to get you this update, it must come over insecure HTTP, because that’s how Sparkle in the app you’re using is configured. If you are concerned that you might be on a compromised network, please do not update using the in-app updater. Instead, just download the relevant app(s) directly from our site, which uses HTTPS.
If you have any questions on this update, please leave a comment or email us directly, and we’ll do our best to address your questions.
Note: Although our App Store apps don’t use Sparkle, we know they’re out of date with some of the other minor bug fixes that came with these releases. We’ll be submitting updates to the App Store next week to get App Store users current.