Apple has released an update to its developer tools, Xcode Tools 3.1. Xcode 3.1b was previously available as part of the iPhone SDK and is now as a standalone package for Mac OS developers as well. Addressing security issues, the new update fixes an arbitrary code execution and a WebObjects session ID disclosure. Requirements for Xcode tools 3.1 are an Apple Developer Connection membership and OS X 10.5 or higher. Xcode is available for Mac OS developers and as part of the final iPhone SDK; both are free for ADC members. [updated]

Xcode tools 3.1 fixes a CoreImage problem that could lead to arbitrary code execution or an unexpected application termination. The tools include an example application called CoreImage Fun House that handles content with the ".funhouse" extension. The problem involved a possible buffer overflow in the application when processing ".funhouse" files. Opening a maliciously-crafted ".funhouse" file could lead to an unexpected application termination or arbitrary code execution. The update addresses the issue through improved bounds
checking.

Version 3.1 also includes a fix for WebObjects session IDs being disclosed to other web sites. WebObjects' WOHyperlink, a dynamic hyperlink generator that appends session IDs to the URLs it generates, could possibly disclose user's session IDs to the sites linked to by the URL. The 3.1 update prevents session IDs from being added to URLs, except when the user specifically requests the action.