DROWN-ing Xcode developer? Apple's thrown you a lifebelt
iCloud and iTunes on Windows also need patching
Apple has published security updates for Xcode, iCloud for Windows, and iTunes for Windows.
Xcode 8.1 plugs holes the Xcode server inherited from Chrome, OpenSSL and node.js. Apple's announcement is here.
There's a bunch of OpenSSL patches to start with:
- CVE-2016-0705 in OpenSSL is better known as the DROWN bug that let an attacker exploit SSLv2 support to break TLS.
- CVE-2016-0797 is a denial-of-service vulnerability.
- CVE-2016-0702 is an “cachebleed” attack that lets one user on an Intel processor discover another user's cache contents – including their RSA keys.
- In CVE-2015-3193, an attacker could force a downgrade of encryption on an application using OpenSSL, while CVE-2015-3194 is a simple DoS attack against the protocol.
Cupertino has also updated iCloud for Windows against two bugs: CVE-2016-4613, reported by Google security engineer Chris Palmer, which allowed a malicious Web page to steal user data; and CVE-2016-7578, which Apple found, a memory corruption issue that could lead to remote code execution.
The same two bugs have been also been patched in iTunes for Windows. ®