This article is more than 1 year old

DROWN-ing Xcode developer? Apple's thrown you a lifebelt

iCloud and iTunes on Windows also need patching

Apple has published security updates for Xcode, iCloud for Windows, and iTunes for Windows.

Xcode 8.1 plugs holes the Xcode server inherited from Chrome, OpenSSL and node.js. Apple's announcement is here.

There's a bunch of OpenSSL patches to start with:

  • CVE-2016-0705 in OpenSSL is better known as the DROWN bug that let an attacker exploit SSLv2 support to break TLS.
  • CVE-2016-0797 is a denial-of-service vulnerability.
  • CVE-2016-0702 is an “cachebleed” attack that lets one user on an Intel processor discover another user's cache contents – including their RSA keys.
  • In CVE-2015-3193, an attacker could force a downgrade of encryption on an application using OpenSSL, while CVE-2015-3194 is a simple DoS attack against the protocol.

CVE-2015-6764 and CVE-2016-1669 are bugs inherited from Google Chrome code.

CVE-2016-2086, CVE-2016-2216 and CVE-2015-8027 splat bugs in node.js.

Cupertino has also updated iCloud for Windows against two bugs: CVE-2016-4613, reported by Google security engineer Chris Palmer, which allowed a malicious Web page to steal user data; and CVE-2016-7578, which Apple found, a memory corruption issue that could lead to remote code execution.

The same two bugs have been also been patched in iTunes for Windows. ®

More about


Send us news

Other stories you might like