Tech

Apple patches Xcode, fixes severe vulnerabilities

The tech giant has applied new security fixes for Xcode's git implementation.

Written by Charlie Osborne, Contributing Writer May 5, 2016 at 1:25 a.m. PT

Apple has released a security update for Xcode's git implementation which patches two critical flaws leading to remote code execution.

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software. The update, now available for OS X El Capitan v10.11 and later, brings Xcode to version 7.3.1.

The fixes target the development suite's git version control system implementation and addresses CVE‑2016‑2315 and CVE‑2016‑2324.

Security

CVE‑2016‑2315 is a heap-based buffer overflow vulnerability based on an incorrect integer data type flaw which allows attackers to remotely execute arbitrary code through either long file names or nested trees.

CVE‑2016‑2324 is similar and has the same code execution consequences, but is made possible through an integer overflow bug.

Xcode 7.3.1 can be downloaded here.

As noted by ThreatPost, security researcher Mattias Geniar wrote about the flaws in March this year. In a blog post, Geniar said the vulnerabilities had the potential to be "huge" as both server and client-side systems could be vulnerable to remote code execution by attackers.

"In order to push to a remote git repository, you need write access which for most git servers would require some kind of authentication / authorization first," the researcher noted. "However, for services like Bitbucket or Github where you can create or clone a repository without approval from an admin, the consequences could be bigger as anyone can attempt to trigger the vulnerability."

In March, Apple patched iOS 9.3 to resolve an activation bug which prevented some users from activating their mobile devices after updating.