|
|
>> Apple Xcode Code Execution and Information Disclosure Vulnerabilities
|
Two vulnerabilities have been identified in Apple Xcode, which could be exploited by attackers to gain knowledge of sensitive information or compromise a vulnerable system.
The first vulnerability is caused by a buffer overflow error in the Core Image Fun House application when processing malformed ".funhouse" files, which could be exploited by attackers to crash an affected application or execute arbitrary code.
The second issue is caused by an error in WebObjects when generating URLs in HTML documents via the WOHyperlink dynamic element, which could cause WOHyperlink to append a session ID to the generated URL, even for absolute URLs, leading to the disclosure of the current user's session ID to arbnitrary sites.
Affected Products
Apple Xcode tools versions prior to 3.1
Solution
Upgrade to Apple Xcode tools version 3.1.
References
http://www.vupen.com/english/advisories/2008/2093
http://support.apple.com/kb/HT2352
http://www.netragard.com/pdfs/research/NETRAGARD-20080630-FUNHOUSE.txt
Credits
Vulnerabilities reported by Kevin Finisterre (Netragard) and the vendor.
ChangeLog
2008-07-14 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
