SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apple Xcode Vendors:   Apple
Apple Xcode Lets Local Applications Access Keychain Information For Other Applications
SecurityTracker Alert ID:  1027302
SecurityTracker URL:  http://securitytracker.com/id/1027302
CVE Reference:   CVE-2012-3698   (Links to External Site)
Date:  Jul 26 2012
Impact:   Disclosure of authentication information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.4
Description:   A vulnerability was reported in Apple Xcode. A local user can obtain keychain authentication information.

When an App Store app component that does not have a bundle identifier is signed via Xcode, the developer ID is not included in the generated designated requirement (DR). As a result, an arbitrary App Store app can access keychain items for the target component or app.

Impact:   A local user (app) can obtain keychain information for other apps on the target system.
Solution:   The vendor has issued a fix (4.4), available from the Downloads section of the Apple Developer Connection Member site at:

http://developer.apple.com/

Xcode 4.4 is also available from the App Store. It is free to anyone with OS X 10.7.x Lion and later.

The download file is named: "xcode446938108a.dmg"
Its SHA-1 digest is: d04393543564f85c2f4d82e507d596d3070e9aba

The vendor's advisory will be available at:

http://support.apple.com/kb/HT1222

Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC