Apple Patches Xcode to Correct Serious Git Security Flaw
How can programmers keep track of all the changes that get made to a piece of software during its development while keeping everyone else on the project in the loop? Answering that challenge is the purpose of what is known as a “version control system.” This is a framework and system for sharing code, tracking changes to that code, and more. One of the most popular version control systems is Git, originally developed to contribute to development on the Linux platform. Today, Git-derived systems power programming efforts on many platforms, including macOS. However, these systems, as with many others, can be a weak point that leads to a malicious attack.
Recently, researchers uncovered two flaws in Git implementations that could have exposed users to some big risks. Since Git is also used to share open source code, it could be used as an attack vector. One of the vulnerabilities recently disclosed involved a scenario in which a hacker could create a Git repository that was deliberately malformed. Within this repository would be a special sub-module containing a payload of malicious code. If a user “cloned” or copied this repository into their own Git deployment, an internal process within the Git framework could allow the module to activate. It would then give the hacker the opportunity to run whatever code they wished on the infected machine.
These flaws affected Apple devices, too, through the Xcode development environment. For versioning purposes, Xcode contains its own deployment of Git, and thus it was also susceptible to the flaws exposed in these vulnerability reports. However, both Git maintainers and Apple moved quickly to close these loopholes and restore security. Git was updated promptly, and Apple has now released its own fix for Xcode in version 9.4.1 as of June 13, 2018.
While the average user may not ever encounter this flaw, developers and others who work on the Mac platform should update their Xcode installations as soon as possible. Rather than run the risk of encountering a malicious repository on Git, it’s simply better to eliminate the possibility of attack now. Xcode 9.4.1 is now available for download online from Apple’s website.