Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Epiphany History Selection Mode

Since my last blog post I have been working on implementing a selection mode for Epiphany’s History Dialog. The selection mode is a pretty common pattern seen throughout GNOME applications. It’s used to easily manipulate a set of selected items from a list or grid. I’ve used the selection mode from GNOME Boxes as a reference when implementing it in Epiphany. This is how the History Dialog looked like before... Read more

Android Leftovers

Infographic: Ubuntu from 2004 to 20.04 LTS

Today, the first point release of Ubuntu 20.04 LTS went live! To celebrate, we wanted to share how Ubuntu has evolved since the first release in 2004 to where we are today with 20.04. Thanks to those in the community and our users for your contributions and joining us on this journey. Upgrade to Ubuntu 20.04.1 LTS now! Read more Also: Ubuntu 20.04.1 LTS (Focal Fossa) Released, Available for Download Now Lubuntu 20.04.1 LTS Released! Ubuntu 20.04.1 LTS Released, Available to Download Now

Experience Collabora Online on your Intel NUC with Nextcloud and Ubuntu

Keeping full control over your personal data and documents, is more and more important. Sharing by email or via the services of big tech companies is losing its shine, for obvious reasons. To help our users we introduce a new fresh Nextcloud Ubuntu Appliance for the Intel NUC, that comes with Collabora Online. Simply take an Intel NUC server, install the Ubuntu Appliance and take back control over storing and sharing your personal data and files with Nextcloud. Next, of course, you want to read and edit your documents, now stored on your own server, wherever you are. Naturally you will be able to allow others to review and comment on text, presentations, charts and more, perhaps during a video call or chat. All this under your own control! The new Ubuntu Appliance with Collabora Online and Nextcloud offers you just that – and more too. Do read these articles about the Ubuntu Appliance and the Nextcloud features. Now, let’s have a look at Collabora Online and some of the great features that you will benefit from. Read more