In a rare admission of long-standing vulnerabilities, macOS backup tool SuperDuper! has revealed three critical security flaws present since its initial release 22 years ago. The vulnerabilities, disclosed by developer Shirt Pocket, could allow attackers to gain administrator privileges through the application's update mechanism, unlocked execution mode, or user-configurable shell scripts.

The most severe flaw, CVE-2025-61228, targets SuperDuper!'s auto-update process. When a user clicks the "Upgrade" button, macOS's package installer fails to validate the notarization of downloaded packages. This creates a hijacking vector where a malicious third-party program could intercept the update and install arbitrary code with escalated privileges.

"Since the install is being done with escalated privileges, that could allow a malicious 3rd party's program... to gain administrator access to your system."

The second vulnerability, CVE-2025-57489, exploits the application's unlocked state. When the security lock is disabled to bypass password prompts, third-party applications could abuse SuperDuper!'s authorization to execute unauthorized commands with root privileges.

The third flaw, CVE-2025-61229, involves user-configurable Before/After shell scripts. These scripts execute with SuperDuper!'s Full Disk Access permissions, but their configuration is stored in editable settings files. Attackers could modify these references to run malicious scripts.

Mitigation and Remediation
Shirt Pocket has released SuperDuper! v3.11 addressing all vulnerabilities. Key fixes include:
- Mandatory signature validation for update packages
- Command origin verification for privileged operations
- Script execution under user privileges with root ownership requirements

For users unable to update, the vendor recommends:
1. Disabling automatic updates in preferences
2. Keeping the security lock engaged (disabling scheduled backups)
3. Manually verifying Before/After script paths before execution

Legacy System Challenges
The disclosure highlights a persistent challenge for legacy software. SuperDuper! versions for macOS 10.1 cannot be patched due to the application's self-integrity checks, forcing users to choose between manual backups and continued exposure.

"People running old versions of macOS... are exposed to many security vulnerabilities... Once a Mac becomes 'vintage', security updates are no longer provided."

In an unusually candid statement, Shirt Pocket expressed frustration and shame over the flaws, emphasizing their commitment to security despite the embarrassment. The anonymous researcher who discovered the vulnerabilities was thanked for their cooperation.

For developers and system administrators, this incident underscores the critical need for continuous security auditing in long-lived software projects. The SuperDuper! case demonstrates how even well-intentioned tools can become attack vectors when update mechanisms and privilege boundaries aren't rigorously enforced.

Source: Shirt Pocket, via https://www.shirt-pocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/