A security vulnerability was recently reported on the Sparkle framework that many applications, including CCC, use to manage application updates. The report indicates that applications using non-secure (e.g. http rather than https) URLs to retrieve application update information could be vulnerable to a "man in the middle" attack.

We don't use any non-secure URLs within CCC, and that has been the case for a while. To be very specific in regards to the reported Sparkle vulnerability, CCC uses an HTTPS URL when checking for and downloading updates and release notes. In fact, as of CCC 4.1.5, it's not even possible for CCC to use an insecure (HTTP) URL, OS X El Capitan would forbid access to that resource.

Download CCC 4 today and make a bootable backup of your Mac!