When GitHub launched the code autocomplete tool Copilot in June 2021, many developers were in awe, saying it reads their minds and helps them write code faster. Copilot looks at the variable names and comments someone writes and suggests what should come next. It provides lines of code or even entire functions the developer might not know how to write.
However, developers using unknown suggestions without verifying them can lead to security weaknesses. Researchers at the New York University’s Tandon School of Engineering put Copilot to the test and saw that 40% of the code it generated in security-relevant contexts had vulnerabilities.
“Copilot’s response to our scenarios is mixed from a security standpoint, given the large number of generated vulnerabilities,” the researchers wrote in a paper. They checked the code using GitHub’s CodeQL, which automatically looks for known weaknesses, and found that developers often get SQL-injection vulnerabilities or flaws included on the 2021 CWE Top 25 Most Dangerous Software Weaknesses list. Also, when it comes to domain-specific languages, such as Verilog, it struggles to generate code that’s “syntactically correct and meaningful.”
take build-tool-depends into account (#65)
‘spec’,’update’: detect autorelease and preserve autochangelog (#66)
‘spec –standalone’: strip executable
support _builddir
take build-tool-depends into account (#65)
‘spec’,’update’: detect autorelease and preserve autochangelog (#66)
‘spec –standalone’: strip executable
support _builddir
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-4 macOS Monterey 12.3
macOS Monterey 12.3 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213183.
Accelerate Framework
Available for: macOS Monterey
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
state…
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-2 watchOS 8.5
watchOS 8.5 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213193.
Accelerate Framework
Available for: Apple Watch Series 3 and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
state…
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-1 iOS 15.4 and iPadOS 15.4
iOS 15.4 and iPadOS 15.4 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213182.
Accelerate Framework
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2
and later, iPad 5th generation and later, iPad mini 4 and later, and
iPod touch (7th generation)
Impact: Opening a maliciously crafted PDF file may lead to…
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-3 tvOS 15.4
tvOS 15.4 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213186.
AppleAVD
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously crafted image may lead to heap
corruption
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22666: Marc Schoenefeld, Dr. rer. nat.
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-5 macOS Big Sur 11.6.5
macOS Big Sur 11.6.5 addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213184.
Accelerate Framework
Available for: macOS Big Sur
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved
state…
Posted by Apple Product Security via Fulldisclosure on Mar 14
APPLE-SA-2022-03-14-10 iTunes 12.12.3 for Windows
iTunes 12.12.3 for Windows addresses the following issues.
Information about the security content is also available at https://support.apple.com/HT213188.
ImageIO
Available for: Windows 10 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2022-22611: Xingyu Jin of…
