December 25, 2024

Apple, Microsoft, GitHub Release Updates to Fix Critical Git Vulnerability

Posted on December 19, 2014 by in Security

The distributed revision control system Git is affected by a serious vulnerability that could be exploited by an attacker to execute arbitrary commands and take over a developer’s machine.

The flaw (CVE-2014-9390) affects all versions of the official Git client and related software that interacts with Git repositories. Git 2.2.1 has been released to address the issue, but updates have also been made available for older maintenance tracks (1.8.5.6, 1.9.5, 2.0.5, 2.1.4).

The vulnerability, which affects users running Windows and Mac OS X, was discovered by the developers of the cross-platform, distributed revision control tool Mercurial. They initially identified the security hole in Mercurial, but after further investigation, they determined that Git is affected as well.

GitHub for Windows and GitHub for Mac have been updated to address the vulnerability. GitHub says GitHub Enterprise and github.com are not directly affected, but users are advised to update their clients as soon as possible.

Maintenance versions that include the fix for this flaw have also been released for libgit2 and JGit, two major Git libraries. Since Microsoft uses libgit2 in Visual Studio products, the company has rolled out patches for Visual Studio Online, Codeplex, Visual Studio Team Foundation Server (TFS) 2013, Visual Studio 2013 RTM, Visual Studio 2013 Update 4, and for the VS 2012 VSIX extension.

Apple’s integrated development environment Xcode also uses Git. The issue has been addressed by adding additional checks in Xcode 6.2 beta 3.

The disclosure of the vulnerability and the release of patches have been coordinated by all affected parties.

“The vulnerability concerns Git and Git-compatible clients that access Git repositories in a case-insensitive or case-normalizing filesystem. An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine,” GitHub’s Vicent Marti explained in a blog post.

Marti noted that the flaw doesn’t affect Linux clients if they run in a case-sensitive filesystem. However, Junio Hamano, who maintains Git since 2005, has pointed out that some Linux users might also have to take measures.

“Even though the issue may not affect Linux users, if you are a hosting service whose users may fetch from your service to Windows or Mac OS X machines, you are strongly encouraged to update to protect such users who use existing versions of Git,” Hamano said in an advisory.

Microsoft’s Brian Harry believes that an attack leveraging this vulnerability is likely to work only in certain environments.

“For someone to do this to you, they have to have commit rights to a repo that you pull from. Inside a corporation, that would likely have to be an attack from the inside. The most likely (not only, but most likely) scenario here is in some small OSS project. Large ones generally have pretty well known/trusted committers,” Harry said.

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Microsoft to Release Critical IE Patch Next Week

Posted on March 7, 2014 by in Security

Microsoft plans to release five security bulletins next week for this month’s Patch Tuesday, including a fix for a security vulnerability used in attacks against Internet Explorer 10.

That vulnerability, which was described in Security Advisory 2934088, was spotted being used in watering hole attacks during the past few weeks. The bug also affects Internet Explorer 9, and could be exploited if the victim is tricked into visiting a compromised Website. Customers using other versions of IE are not impacted, Microsoft noted.

In addition to the IE bulletin, Microsoft will release one other critical bulletin for Windows. The other three bulletins are rated ‘important’ and affect Microsoft Windows and Microsoft Silverlight.

“The March patch list is small, with only five bulletins, but they are certainly significant,” said Ken Pickering, director of engineering at CORE Security. “There are two bulletins listed as ‘critical’ with remote code executions, one on Internet Explorer and one on a series of Windows versions. These types of bulletins need immediate attention and a reboot, which is always a headache for IT teams. Bulletin 5 only affects Silverlight, and aside from using it to stream House of Cards on Netflix, doesn’t have a big impact.”

“Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore,” blogged Wolfgang Kandek, CTO of Qualys. “Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end-of-life date…so you need a strategy for the XP machines remaining in your infrastructure.”

The Patch Tuesday updates will be released March 11.

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Obama to Release Review Panel Report Into NSA Spy Sweeps

Posted on December 18, 2013 by in Security

WASHINGTON – The White House will release a review Wednesday calling for reforms in National Security Agency spying sweeps, exposed by Edward Snowden, which have angered US allies and raised legal and privacy concerns.

President Barack Obama’s spokesman Jay Carney said the report by a review panel was being released earlier than a planned date in January due to incomplete and inaccurate media reporting about its contents.

Obama met members of the review panel earlier on Wednesday to work through the 46 recommendations in the report.

“While we had intended to release the review group’s full report in January … given the inaccurate and incomplete reports in the press about the report’s content, we felt it was important to allow people to see the full report to draw their own conclusions,” Carney said.

“For that reason, we will be doing that this afternoon — releasing the full report.”

Obama commissioned the review panel report earlier this year in the wake of explosive revelations by fugitive intelligence contractor Snowden on the stunning scope of the NSA’s operations.

He has said he wants to strike a balance between keeping Americans safe from terrorist threats and safeguarding privacy rights guaranteed by the US Constitution.

The review board comprises former White House counter-terrorism advisor Richard Clarke; Michael Morell, the ex-deputy director of the CIA; Peter Swire, an official specializing in privacy and technology issues; constitutional law professor Geoffrey Stone; and Cass Sunstein, a former regulatory official in the Obama administration.

The president has said he would try to get the shady spy agency to restrain its Internet and phone data collection operations but is expected to allow them to continue in some form.

Obama is due to consider which of the recommendations he will accept and will then make a speech to the American people in January.

The release of the report comes with intense pressure building on the administration over the programs, from political opponents, the Internet industry and even the courts.

A federal judge in Washington this week ruled that NSA programs, which have scooped up millions of details on telephone calls and Internet traffic on Americans and foreigners, were probably unconstitutional.

The ruling opened a long legal battle which is likely to end up in the Supreme Court.

© AFP 2013


SecurityWeek RSS Feed