Thanks for the heads up! I will ask our team to begin testing 10.11.4 right away so se can stay on top of any changes. I also looked into the Sparkle vulnerability:
In short, all applications that use the Sparkle Updater framework and are connecting over HTTP instead of a secure HTTPS connection are vulnerable. Since Sparkle throws an error in case of an invalid SSL certificate by default, it helps to protect against MITM attacks when used wisely.
We are most definitely serving the Sparkle xml and our updates via SSL with EV and we have remained aware of the possibility of man in the middle attacks for any auto update process. Also, the pkg is code signed and the user must manually walk through the install process. So in the unlikely event anything fishy is going on the user can cancel the update.
While this makes for a less slick update (you can see the auto update window hang out over the installer) we feel this is best for the short term until we are 1000% confident in the process.
Version 18.104.22.168 is now available for update
There are several tweaks to this final beta release. We feel this is a solid release candidate:
- The main UI is now opened on first run.
- The stereo widening values are now always pulled from the current selected profile.
- Fixed a hang with the login window if the user has not added name info to their mybongiovidps account.
- Removed the restart requirement from the installer.
- Removed the read-only warning for the profiles directory.
- The DPS application folder is now opened in the Finder after installation.
- Added an alert dialog at launch if the app couldn’t connect to the DPS driver, with an option to reboot the system.
- Changed the notification message at startup to be the same as Win version.