SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Apple Patches Xcode to Correct Serious Git Security Flaw

Posted on June 25, 2018

How can programmers keep track of all the changes that get made to a piece of software during its development while keeping everyone else on the project in the loop? Answering that challenge is the purpose of what is known as a “version control system.” This is a framework and system for sharing code, tracking changes to that code, and more. One of the most popular version control systems is Git, originally developed to contribute to development on the Linux platform. Today, Git-derived systems power programming efforts on many platforms, including macOS. However, these systems, as with many others, can be a weak point that leads to a malicious attack.

Recently, researchers uncovered two flaws in Git implementations that could have exposed users to some big risks. Since Git is also used to share open source code, it could be used as an attack vector. One of the vulnerabilities recently disclosed involved a scenario in which a hacker could create a Git repository that was deliberately malformed. Within this repository would be a special sub-module containing a payload of malicious code. If a user “cloned” or copied this repository into their own Git deployment, an internal process within the Git framework could allow the module to activate. It would then give the hacker the opportunity to run whatever code they wished on the infected machine.

These flaws affected Apple devices, too, through the Xcode development environment. For versioning purposes, Xcode contains its own deployment of Git, and thus it was also susceptible to the flaws exposed in these vulnerability reports. However, both Git maintainers and Apple moved quickly to close these loopholes and restore security. Git was updated promptly, and Apple has now released its own fix for Xcode in version 9.4.1 as of June 13, 2018.

While the average user may not ever encounter this flaw, developers and others who work on the Mac platform should update their Xcode installations as soon as possible. Rather than run the risk of encountering a malicious repository on Git, it’s simply better to eliminate the possibility of attack now. Xcode 9.4.1 is now available for download online from Apple’s website.

Join our mailing list for the latest security news and deals