View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 11, 2019updated 27 Jul 2022 9:00am

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

"We expect the community will find many more creative examples..."

By CBR Staff Writer

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Read this: Software Patch Management: Tips, Tricks and Stern Warnings

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers, Mozilla noted, saying: “MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

(Apple’s Terminal is widely looked down upon for lacking various functions. iTerm, by contrast, is seen as hugely feature-rich for power UNIX users).

Mozilla’s Tom Ritter said: “An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.

“Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl and tail -f /var/log/apache2/referer_log.”

He added drily: “We expect the community will find many more creative examples.

MOSS said: “Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.”

Content from our partners
Why all businesses must democratise data analytics
Unlocking the value of artificial intelligence and machine learning
Behind the priorities of tech and cybersecurity leaders

The vulnerability has been assigned CVE-2019-9535.

iTerm2’s team said they recommend a proactive immediate update by going to the iTerm2 menu and choosing Check for updates…

The fix is available in version 3.3.6.

Netherlands-based Radically Open Security is a not-for-profit computer security company legally established as a ‘Fiscaal Fondsenwervende Instelling’ (fiscal fundraising institution) in the Netherlands. This summer it donated 90 percent of its net profit to an internet charity, NLnet, that supports open source technology and open internet research and development.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy