SuperDuper Security Update v3.11

Dave Nanian and Bruce Lacey, at Shirt Pocket:

Mistakes are a part of life.

They’re not a great part, but when viewed “correctly”, they’re an opportunity.

Well, we have three opportunities, brought to our attention by a security researcher. They’re security vulnerabilities that have been in SuperDuper! since the very first version, released almost 22 years ago.

Today, we’re releasing fixes for the current release (the SuperDuper! v3.20 Beta is already fixed), a discussion of the problems, and the steps users can take to mitigate the issues if they cannot install the update.

We don’t know of any bad actors making use of these exploits as of this post.

Another good postmortem, with technical details and an apology.

Monday, 24 November 2025