Homebrew, an alternative package manager for macOS, contained a vulnerability that allowed attackers to run their own code on computers running the software. The team behind the package manager has now released a patch.
Security researcher RyotaK published a blog post about the vulnerability in the Cask repository last week. In it, he explained that it was possible to merge a malicious pull request by confusing the library used in that process. This makes it possible to execute arbitrary Ruby code on victims’ machines.
Vulnerability hasn’t been abused
RyotaK demonstrated the vulnerability by making a harmless change to the software with the permission of the makers of Homebrew. This change was subsequently reversed and the vulnerability closed. Pull requests for Homebrew are now also checked manually. In theory, an attacker could use the vulnerability to execute his own code on computers running Homebrew, but as far as is known the vulnerability has not been abused.
Open-source package manager
Homebrew is a free open-source package manager for macOS and Linux. The software is intended to make the installation of software on the operating systems as simple as possible. It is popular among various communities for its extensibility, ease of use and integration with the command line interface.
Vulnerabilities in WebKit closed
Apple has recently released several updates to close vulnerabilities in WebKit. For example, in March, the company closed a vulnerability that theoretically allowed attackers to gain access to devices running the Safari browser. A few weeks later, Apple added an update for iOS, iPadOS and watchOS. This closed a vulnerability that allowed attackers to access sensitive information such as session tokens and cookies.