Time To Update SourceTree: ‘Critical’ Vulnerability Found In URI Parsing

If you’ve been holding out on updating your SourceTree client, now might be the time to reconsider, with a “critical” vulnerability found in older versions of the program. Both Mac and Windows flavours are affected.

Here are the specific version numbers:

SourceTree for Mac 1.4.0 SourceTree for Windows 0.8.4b

The advisory from Atlassian doesn’t contain specifics on how the vulnerability works, but you can find information on the Common Vulnerabilities and Exposures website:

Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme.

It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.

You have two options — either update SourceTree to the latest version, or disable the sourcetree:// URI. Obviously, the former is recommend, however, if you’re in a situation where upgrading isn’t practical, follow these steps:

1. Locate the HKEY_CLASSES_ROOTsourcetree key in the registry.
2. Delete everything except the key itself.
3. Change the key permissions so no user has write access (untick “Full Control”).

SourceTree will attempt to regenerate the key on startup, hence the permissions change. For new versions, a checkbox is available that should prevent SourceTree from doing this.

SourceTree Security Advisory 2017-05-10 [Atlassian]

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.