November 24, 2024

Apple, Microsoft, GitHub Release Updates to Fix Critical Git Vulnerability

Posted on December 19, 2014 by in Security

The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer’s machine.

The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (1.8.5.6, 1.9.5, 2.0.5, 2.1.4).

The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.

GitHub for Windows and GitHub for Mac have been updated to address the vulnerability. GitHub says GitHub Enterprise and github.com are not directly affected, but users are advised to update their clients as soon as possible.

Maintenance versions that include the fix for this flaw have also been released for libgit2 and JGit, two major Git libraries. Since Microsoft uses libgit2 in Visual Studio products, the company has rolled out patches for Visual Studio Online, Codeplex, Visual Studio Team Foundation Server (TFS) 2013, Visual Studio 2013 RTM, Visual Studio 2013 Update 4, and for the VS 2012 VSIX extension.

Apple’s integrated development environment Xcode also uses Git. The issue has been addressed by adding additional checks in Xcode 6.2 beta 3.

The disclosure of the vulnerability and the release of patches have been coordinated by all affected parties.

“The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vicent Marti explained in a blog post.

Marti noted that the flaw doesn’t affect Linux clients if they run in a case-sensitive filesystem. However, Junio Hamano, who maintains Git since 2005, has pointed out that some Linux users might also have to take measures.

“Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git,” Hamano said in an advisory.

Microsoft’s Brian Harry believes that an attack leveraging this vulnerability is likely to work only in certain environments.

“For someone to do this to you, they have to have commit rights to a repo that you pull from. Inside a corporation, that would likely have to be an attack from the inside. The most likely (not only, but most likely) scenario here is in some small OSS project. Large ones generally have pretty well known/trusted committers,” Harry said.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Apple iPhone ‘Threat to National Security’: Chinese Media

Posted on July 12, 2014 by in Security

BEIJING  – Chinese state broadcaster CCTV has accused US technology giant Apple of threatening national security through its iPhone’s ability to track and time-stamp a user’s location.

The “frequent locations” function, which can be switched on or off by users, could be used to gather “extremely sensitive data”, and even state secrets, said Ma Ding, director of the Institute for Security of the Internet at People’s Public Security University in Beijing.

The tool gathers information about the areas a user visits most often, partly to improve travel advice. In an interview broadcast Friday, Ma gave the example of a journalist being tracked by the software as a demonstration of her fears over privacy.

“One can deduce places he visited, the sites where he conducted interviews, and you can even see the topics which he is working on: political and economic,” she said.

The frequent locations function is available on iOS 7, the operating system used by the current generation of iPhones released in September 2013. “CCTV has only just discovered this?” said one incredulous Chinese microblogger.

The dispute is not the first time Apple has been embroiled in controversy in China, where its products are growing in popularity in a marketplace dominated by smartphones running Google’s Android operating system.

Apple lost a lawsuit against a Chinese state regulator over patent rights to voice recognition software such as the iPhone’s “Siri” just this week.

In March 2013 the Californian company was notably the target of criticism orchestrated by the Chinese media on behalf of consumers, who were critical of poor after-sales service.

And in 2012 the US firm paid $ 60 million to settle a dispute with another Chinese firm over the iPad trademark.

The privacy scare also reflects mutual distrust between the US and China after a series of allegations from both sides on the extent of cyber-espionage.

Leaks by former US government contractor Edward Snowden have alleged widespread US snooping on China, and this month it was reported Chinese hackers had penetrated computer networks containing personal information on US federal employees.

Apple did not immediately respond when contacted by AFP for comment.

Related: Obama Not Allowed an iPhone for Security Reasons

 

RelatedNSA Tracks Mobile Phone Locations Worldwide

© AFP 2013


SecurityWeek RSS Feed

Apple Denies Cooperating With NSA to Develop iPhone Backdoor

Posted on January 1, 2014 by in Security

Apple has added its name to the list of companies denying they have ever cooperated with the National Security Agency to create backdoors in any of its products.

The statement followed news of a NSA document leaked by German news magazine Der Spiegel that included a description of a program targeting Apple iPhones called DROPOUTJEEP. The document, which is dated 2008, mentions the program as being under development with the goal of making it possible “to remotely download or upload files to a mobile phone.”

“It would also, according to the catalog, allow the NSA to divert text messages, browse the user’s address book, intercept voicemails, activate the phone’s microphone and camera at will, determine the current cell site and the user’s current location,” Der Spiegel reported.

The initial release was said to be focused on installing the program through physical access, though developers would be working to include a remote access capability in the future.

Security researcher Jacob Applebaum – who co-authored an article in Der Spiegel on the issue – stated at the Chaos Communication Congress Dec. 30 that the NSA’s boast about having a 100 percent success rate in compromising devices suggests that Apple may have cooperated with the agency.

In response, Apple issued a statement to media outlets that it has never worked with the NSA to develop a backdoor for any of its products, and is unaware of NSA programs to do so.

“Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements,” according to the statement. “Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers.  We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.”

The same NSA document also made mention to tools for compromising products from vendors such as Cisco Systems, Juniper Networks and Dell. Those companies have denied any knowledge or involvement in NSA activities as well.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed