Security issues in Updater for Pre-1.4.6 Cartographica Versions

If you have version 1.4.6 (the current shipping version since May 2015) or greater, then your Cartographica is not susceptible to this problem. If you are running 1.4.5 or lower, please read this message.

The updater that we use in Cartographica (Sparkle) has been found to have a specific set of vulnerabilities that can cause remote execution.

The specific problems can be exploited via a MITM (Man-in-the-Middle) attack, resulting in arbitrary code execution in the Javascript portion of the display that Cartographica shows during updates.

Unbeknownst to us, we mitigated this problem last spring when we moved to using SSL/TLS for our updater feed. As such, if you've kept your copy of Cartographica up to date, you're in good shape.

The next release of Cartographica will include a further update to the underlying software updater which takes more steps against this a similar vulnerability occuring in the future.

If you are running a version less than version 1.4.6, we encourage you to update directly by using the Cartographica Download Page directly. Once you've done that, the updater should be sufficiently secure.