Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

How GNOME uses Git

“What’s your GitLab?” is one of the first questions I was asked on my first day working for the GNOME Foundation—the nonprofit that supports GNOME projects, including the desktop environment, GTK, and GStreamer. The person was referring to my username on GNOME’s GitLab instance. In my time with GNOME, I’ve been asked for my GitLab a lot. We use GitLab for basically everything. In a typical day, I get several issues and reference bug reports, and I occasionally need to modify a file. I don’t do this in the capacity of being a developer or a sysadmin. I’m involved with the Engagement and Inclusion & Diversity (I&D) teams. I write newsletters for Friends of GNOME and interview contributors to the project. I work on sponsorships for GNOME events. I don’t write code, and I use GitLab every day. Read more

NordPy: An Open-Source Linux Client for NordVPN

NordVPN is a personal VPN software with the main focus on protecting user privacy and granting them access to regionally restricted content. It features a strong encryption protocol with a no-log policy and works with north of 5700 servers in at least 60 countries. It is available for Linux, Windows, macOS, AndroidTV, Android, iOS and NAS platforms. It can also be manually set up on WiFi routers. NordVPN is one of the most recommended VPN services and while it continues to receive positive reviews from customers, developers are beginning to dedicate some time to it and this is how NordPy has come to be. NordPy is an open-source GUI client for Linux users who like NordVPN and it inherits all the features in the official NordVPN applications. Its feature list includes connection to OpenVPN or NetworkManager-OpenVPN via TCP and UDP, no DNS leak when using OpenVPN, Read more

Announcing Rustup 1.20.0

The rustup working group is happy to announce the release of rustup version 1.20.0. Rustup is the recommended tool to install Rust, a programming language that is empowering everyone to build reliable and efficient software. Read more Also Mozilla: Karl Dubost: This is not a remote work

today's howtos