Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Renesas adds to RZ/G2 line with three Cortex-A55 SoCs

Renesas unveiled three low-end “RZ/G2L” members of its RZ/G2 family of Linux-driven IoT SoCs with single or dual -A55 cores plus a Mali-G31, Cortex-M33, and up to dual GbE support. There is also a SMARC module and dev kit. Renesas’ RZ/G2 line of industrial-focused system-on-chips include the hexa-core RZ/GM and octa-core RZ-G2H, both with mixtures of Cortex-A57 and -A53 cores and 4K support, as well as two dual-core models: a Cortex-A53 based RZ/G2E with HD video and a Cortex-A57-equipped RZ/G2N with 4K. Instead of filling in the middle of the Linux-focused product line with some quad-core models, the Japanese chipmaker has instead come back with three new low-end models, featuring single or dual-core Cortex-A55 cores. Read more

Today in Techrights

Extensions in Firefox for Android Update

Starting with Firefox 85, which will be released January 25, 2021, Firefox for Android users will be able to install supported Recommended Extensions directly from addons.mozilla.org (AMO). Previously, extensions for mobile devices could only be installed from the Add-ons Manager, which caused some confusion for people accustomed to the desktop installation flow. We hope this update provides a smoother installation experience for mobile users. As a quick note, we plan to enable the installation buttons on AMO during our regularly scheduled site update on Thursday, January 21. These buttons will only work if you are using a pre-release version of Firefox for Android until version 85 is released on Tuesday, January 25. This wraps up our initial plans to enable extension support for Firefox for Android. In the upcoming months, we’ll continue to work on optimizing add-on performance on mobile. As a reminder, you can use an override setting to install other extensions listed on AMO on Firefox for Android Nightly. Read more

today's leftovers

  • Problem with Open-source Downloads

    Open-source downloads not working currently due to disk system failure at our cloud service provider.

  • How to Set Up Btrfs RAID – Linux Hint

    Btrfs is a modern Copy-on-Write (CoW) filesystem with built-in RAID support. So, you do not need any third-party tools to create software RAIDs on a Btrfs filesystem. The Btrfs filesystem keeps the filesystem metadata and data separately. You can use different RAID levels for the data and metadata at the same time. This is a major advantage of the Btrfs filesystem. This article shows you how to set up Btrfs RAIDs in the RAID-0, RAID-1, RAID-1C3, RAID-1C4, RAID-10, RAID-5, and RAID-6 configurations.

  • How to Co-author Documents in Linux with ONLYOFFICE Docs

    Document collaboration as the practice of multiple people working simultaneously on a single document is really important in today’s technologically advanced age. Using document collaboration tools, users can view, edit, and work simultaneously on a document without sending emailing attachments to each other all day. Document collaboration is sometimes called co-authoring. Real-time document co-authoring is not possible without special software.

  • Chrome Releases: Stable Channel Update for Desktop

    The Chrome team is delighted to announce the promotion of Chrome 88 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 88.0.4324.96 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 88

  • Chrome 88 Released With Security Fixes, Adobe Flash Removed - Phoronix

    Google has released Chrome 88 as the latest stable version of their cross-platform web browser.

  • mintCast 352.5 – One Night with Ulyssa

    In our Innards section, we talk about the first 24 hours with Linux Mint 20.1 And finally, the feedback and a couple of suggestions