14 DAY TRIAL // A researcher has identified a security issue for Apple's Mac operating system, due to an older version of Git that comes bundled with OS X versions.
The problem resides in Git, a version control system (VCS) that allows developers to manage source code repositories, keeping track of code changes from version to version.
Mac versions come bundled with insecure Git versions
Rachel Kroll has discovered that El Capitan comes bundled with an older version of Git that's exposing users to two possible attacks, due to the CVE-2016-2324 and CVE-2016-2315 vulnerabilities present in all Git versions 2.7.3 and prior. El Capitan comes bundled by default with Git 2.6.4.
The two vulnerabilities, both heap-based buffer overflows, allow attackers to execute malicious code on the machine. The only condition for an attack to take place is that a Mac user forks a Git repo that contains malicious code.
The attacker can use the malicious code hidden in the repo to launch an attack on the Mac, compromise the system, and take control of the user's device.
The bundled Git version can't be updated without breaking Git support
Mrs. Kroll says that this particular instance of Git can't be upgraded, nor can users change its runtime permissions to neuter the Git binary's capabilities.
Digging around in El Capitan's backend, she discovered that the "/usr/bin/git" binary is actually a link to a version of Git included with Xcode at "/Applications/Xcode.app/Contents/Developer/usr/bin". Upgrading or changing this binary's permissions breaks Git support.
"If you rely on machines like this, I am truly sorry. I feel for you," Mrs. Kroll wrote on her blog. "I wrote this post in an attempt to goad them [Apple] into action because this is affecting lots of people who are important to me. They are basically screwed until Apple deigns to deliver a patched git unto them."
It is worth mentioning that users can always choose to install their own version of Git on top of the built-in system, but the vulnerable version will always remain, exposing users to attacks. Furthermore, some apps come with a harcoded Git path that leads to "/usr/bin/git", and so, users might use the older vulnerable version without even knowing it.