14 DAY TRIAL // Apple has finally updated the Git version packed with its Xcode IDE toolkit, fixing two severe security bugs that were putting the company's users at unnecessary risk.
The two security issues are CVE‑2016‑2324 and CVE‑2016‑2315, affecting the Git version control system version 2.7.3 and earlier.
Git vulnerabilities allowed attackers to take over Macs
Security researcher Mattias Geniar discovered the two vulnerabilities earlier in March, and he showed they were both heap-based buffer overflows that allowed attackers to execute malicious code on the user's computer.
Exploiting these vulnerabilities was easier than you'd think. All an attacker had to do was bundle malicious code inside a Git repository and wait for a user with an older version of Git to fork their repo. The malicious code would execute automatically and compromise the user's Mac.
The current version of Git is 2.8.2, so these vulnerabilities should not have been an issue since most users tend to keep their Git version up to date.
Xcode came with a really old Git version
The problem was that Apple was distributing Git 2.6.4 with its OS X versions, as part of the XCode IDE. If the user did not install their own version of Git, they were automatically and irrevocably susceptible to this flaw, since Xcode comes packed with all OS X versions.
What's worse, the vulnerable Git was also set as the default Git installation on all Macs, and as Rachell Kroll previously explained, upgrading or changing the default path created more problems than it solved.
Following her discovery, the Mac community didn't take the news well, and Apple was subjected to a lot of criticism for bundling a vulnerable Git version with Xcode.
The company addressed this issue two days ago, when it released new versions for some of its products, such as iOS 9.3.2, Mac OS X 10.11.5 El Capitan, and tvOS 9.2.1. Among the changes included in the El Capitan update is Xcode 7.3.1, which now comes with Git 2.7.4 by default.