Mistakes are a part of life.

They're not a great part, but when viewed "correctly", they're an opportunity.

Well, we have three opportunities, brought to our attention by a security researcher. They're security vulnerabilities that have been in SuperDuper! since the very first version, released almost 22 years ago.

Today, we're releasing fixes for the current release (the SuperDuper! v3.20 Beta is already fixed), a discussion of the problems, and the steps users can take to mitigate the issues if they cannot install the update.

We don't know of any bad actors making use of these exploits as of this post.

Mistake #1 (CVE-2025-61228)

Our auto-update mechanism can be hijacked and convinced to install a package that isn't SuperDuper.

Even though we signed and notarized our installer package, Gatekeeper is not checking that notarization when installed by macOS's package installer. As such, the download could be changed, and we'd install that instead. Since the install is being done with escalated privileges, that could allow a malicious 3rd party's program, which you would also have to install, to gain administrator access to your system.

This can only happen if a program running on your system is looking for SuperDuper to perform an update, a real update is presented through legitimate means, and you click Upgrade.

To fix this, we've done three things:

  1. We've put out an update, which you may have seen before reading this post, that explains that the fixed version of SuperDuper, v3.11, should be downloaded and installed directly from the Shirt Pocket web site...and the Upgrade button, at the bottom of the window, should not be pressed.

  2. We've changed our updater to validate the signature and notarization of the install package ourselves before installing the update.

  3. After this announcement, we will not present update notices for any version of SuperDuper prior to v3.11 unless absolutely necessary, and in those cases we will clearly indicate, as we have here, that the user should not click Upgrade. Users who cannot install the update can prevent these notices from appearing by turning off automatic updates in SuperDuper's preferences.

Mistake #2 (CVE-2025-57489)

When the lock in SuperDuper is unlocked to allow execution to occur without having to enter an administrator password, a 3rd party program could make use of our authorization to run something other than a backup with administrator privileges.

Again, this can only happen if you install something that is, itself, malicious. And it's one mechanism of many that could be used by a bad actor to gain "root" access on your system. But this one is due to our error.

To fix it, as above, we've done three things:

  1. In the same update notice, we've instructed people to install SuperDuper v3.11, downloaded directly from the web site.

  2. We've changed our program to validate that the commands being executed with escalated privileges are actually coming from our own, known, sealed, signed source.

  3. Users who cannot run the new version can lock the lock in the main window, which closes the security hole.

While the new SuperDuper v3.11, released today, ensures that all users who could run v3.10 are no longer vulnerable, one problem remains: we cannot fix older versions of SuperDuper. There are versions of SuperDuper available for macOS versions as early as 10.1, and we have no way to rebuild them. On top of that, we cannot "patch" the faulty element, because SuperDuper itself ensures that it's unmodified before running, and would refuse to run at all if patched.

Unfixed versions can be made secure by locking the lock in the main window. However, doing so means scheduled backups will not run: with the lock locked, all backups must be made by manually running SuperDuper.

Mistake #3 (CVE-2025-61229)

User-settable Before/After shell scripts run escalated, with SuperDuper's TCC Full Disk Access permissions. Since those shell scripts are referenced by the settings files for the copy or schedule, a malicious actor could modify those settings to run their own script.

As before, this would require another malicious program to be installed.

To mitigate this vulnerability, in v3.11 we've made two changes:

  1. Before/After shell scripts are forced to run with the user's ID and privileges. Individuals who require alternative execution contexts can do so through normal Unix methods such as suid.

  2. Scripts must be owned by the root user, even when run in the normal user's context. This ensures that any script that would run has been explicitly authorized by an administrative user.

Note that these Before/After scripts are explicitly referenced in the What's going to happen? section of the main window. Users who cannot update to v3.11 are advised to review that information before pressing Copy Now to ensure no unexpected entries are present.

Practical Considerations

People running old versions of macOS, with old versions of SuperDuper, on old Macs, are exposed to many security vulnerabilities, from web pages that can gain escalated privileges due to bugs in Safari or its sandbox, to other errors in the kernel that can do the same. These errors, when found, are fixed, but those fixes are not available to earlier macOS versions. Once a Mac becomes "vintage", or a version of macOS is no longer supported, security updates are no longer provided, and those issues persist.

On a system where we cannot provide a fix, you have to make a judgement call after balancing the risks of this flaw being exploited, in your personal situation, versus the inconvenience of having to manually perform backups. If you do not install malicious programs from sketchy sources after these vulnerabilities have been disclosed, you are at the same level of risk you were at before, especially since you were already at risk from actors who could exploit your unsupported OS without installing another application, such as by simply visiting a web page.

However, if you feel the additional risk is too great, you can lock the lock, set a scheduled reminder via iCal, and perform your backups manually (and, of course, you can, and should, use Time Machine as well).

Arrgh-arrgh-arrgh-arrgh (argh)

This post obviously uses a more serious tone than you may be used to on the blog.

We take security and safety extremely seriously here—if we didn't, we wouldn't have made a backup program—and, to be frank, feel frustrated and ashamed that our program can be exploited to make your system less safe.

We've taken the steps needed to fix the bugs, inform our valued users, registered or not, about the problems, and have explained how to mitigate them on any version of SuperDuper, old or new. As previously mentioned, and as far as we are aware, these vulnerabilities have not been exploited by a bad actor (which does not mean they can't be, of course).

We'd like to thank the anonymous security researcher who brought these bugs to our attention, and for working with us to verify that our fixes have corrected the errors they found.

Finally, we'd like to take this opportunity to apologize to all our users for these bugs. We hate making mistakes. We're truly sorry for these, and will continue to do our best to put out versions of SuperDuper that you can trust as one method, of many, to keep your data safe.

Thanks for reading, and for using SuperDuper. We couldn't continue to do this without you.

--Dave Nanian & Bruce Lacey