Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Audiocasts/Shows/Screencasts: Destination Linux, Open Source Security Podcast, Linux Action News, Test and Code, Pop_!OS 19.10 Run Through

Polishing of KDE and Adding Git Support to Kate

  • This week in KDE: fixing all the things

    Plasma 5.17 was released this week to glowing reviews! As with most new releases, our loyal users wasted no time in finding all the bugs we missed! So you know what that means, right? We all burned the midnight oil fixing the problems you found, and Plasma 5.17.1 will be released in just a few days with everything we’ve knocked out so far (detailed below) so never fear!

  • KDE Continues Seeing A Lot Of Bug Fixes, Continued Tweaks Around System Settings

    KDE developers remain busy this autumn on addressing bugs in the recent KDE Plasma 5.17 release and tackling early feature work for Plasma 5.18. Plus work on KDE Frameworks 5 and KDE Applications is as busy as ever.

  • Working around the Wrong Cursor bug

    This is a long-known bug with countless Reddit/Forum/… posts with often the correct answer how to fix it.

  • RFC - Git Client Integration

    At this year’s KDE conference Akademy we discussed how to evolve Kate over the next years. One of the areas we want to improve is better git integration out of the box. Currently, Kate ships the Projects plugin, which automatically detects and loads your file structure from your git repository. If a project is loaded, then the Search & Replace plugin allows to search&replace in all project files. In addition, the Quick Open feature also supports opening files from the currently active project - all explained here. However, the Projects plugin does not provide any real git integration: You can neither pull nor push, commit, diff, etc. If at all, additional git functionality is available only via external tools like gitk or git-cola (e.g. available in the context menu). This is something we would like to change by having really nice git integration.

today's howtos

Games: Humble and Five-or-More Modernisation in GNOME

  • Humble Monthly will be changing to Humble Choice later this year

    If you're interested in getting a bunch of games each month, the Humble Monthly has at times been quite generous with the selection. Things are about to change, with it being renamed to Humble Choice with new options. Currently, you pay a set fee of $12 a month (or less for more months) and get at least one game to play early. Then at the end of each month, they give you a bunch more games ranging between 7-11. That's changing sometime later this year with Humble Choice. As the name suggests, it does seem to actually give you a little more control. Games are revealed upfront instead of being a mystery and you pick the ones you want from a larger list.

  • Imperator: Rome is getting a free Punic Wars content pack in addition to the big Livy update

    One piece of PDXCON news missed from yesterday: Imperator: Rome is getting a free Punic Wars Content Pack along with the upcoming Livy Update. Paradox Development Studio sure are busy. Not only are they working on multiple Stellaris expansions, Crusader Kings III and Hearts of Iron IV: La Résistance they're also trying to turn around the rough launch of Imperator: Rome. Another big free patch is coming out named Livy which will include: a new character experience system, a rework of the family system, a procedurally generated mission system, a map with greater details including showing war on the map with burning cities and more not yet announced. It's going to be big!

  • Five-or-More Modernisation: It's a Wrap

    As probably most of you already know, or recently found out, at the beginning of this week the GSoC coding period officially ended, and it is time for us, GSoC students, to submit our final evaluations and the results we achieved thus far. This blog post, as you can probably tell from the title, will be a summary of all of the work I put into modernising Five or More throughout the summer months. My main task was rewriting Five or More in Vala since this simple and fun game did not find its way to the list of those included in the Games Modernisation Initiative. This fun, strategy game consists of aligning, as often as possible, five or more objects of the same shape and color, to make them disappear and score points. Besides the Vala rewrite, there were also some other tasks included, such as migrating to Meson and dropping autotools, as well as keeping the view and logic separated and updating the UI to make this game more relatable for the public and more fresh-looking. However, after thoroughly discussing the details with my mentor, Robert Roth (IRC: evfool), more emphasis was placed upon rewriting the code to Vala, since the GSoC program is specifically designed for software development. However, slight UI modifications were integrated as to match the visual layout guidelines.

  • Five-or-More Modernisation: Now You Can Properly Play It

    As Google Summer of Code is officially drawing to an end, all of my attention was focused towards making the Five or More Vala version feature-complete. As you probably already know from my previous blog post, the game was somehow playable at that time, but it was missing some of the key features included in the old version. So what’s new this time? First and foremost, you can surely notice the game board now sports a grid, which wasn’t there until now. On the same note, there are also animations used for clicking a piece on the board, for an improved gaming experience. For further accessibility, some header bar hints are available at different stages in the game: at the start of any new game, at the end of each game, as well as whenever there is no clear path between the initial position and the cell indicated by the user for the current move.