Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

10 Things To Do After Installing Ubuntu 19.10

For the record, we’ve written a list of ‘things to do after installing Ubuntu’ for the past 20 Ubuntu releases. That’s two lists a year, every year, for a decade — and each list is specifically tailored to each version of Ubuntu. Our rundown for Ubuntu 19.10? Well, it’s no exception! As always: we never suggest you do anything that would damage or harm your install. So for tips on how to butcher Eoan with beta software, unstable drivers, and deep-level config meddling, you’ll need to look elsewhere! Otherwise read on for plenty of useful pointers and pertinent advice on how to get the most from your spangly new Linux system. Let’s go! Read more

today's leftovers

  • Google Ejects Open-Source WireGuard From Android Play Store Over Donation Link In App

    Apparently Google doesn't appreciate donation links/buttons within programs found on the Google Play Store even when it's one of the main sources of revenue for open-source programs. WireGuard has been reportedly dropped over this according to WireGuard lead developer Jason Donenfeld. After waiting days for Google to review the latest version of their secure VPN tunnel application, it was approved and then removed and delisted -- including older versions of WireGuard. The reversal comes on the basis of violating their "payments policy". Of course, Google would much prefer payments be routed through them so they can take their cut...

  • [Older] Sourcehut makes BSD software better

    Every day, Sourcehut runs continuous integration for FreeBSD and OpenBSD for dozens of projects, and believe it or not, some of them don’t even use Sourcehut for distribution! Improving the BSD software ecosystem is important to us, and as such our platform is designed to embrace the environment around it, rather than building a new walled garden. This makes it easy for existing software projects to plug into our CI infastructure, and many BSD projects take advantage of this to improve their software.

    Some of this software is foundational stuff, and their improvements trickle down to the entire BSD ecosystem. Let’s highlight a few great projects that take advantage of our BSD offerings.

  • Security updates for Thursday

    Security updates have been issued by Arch Linux (sudo), Debian (libsdl1.2 and libsdl2), Mageia (e2fsprogs, kernel, libpcap and tcpdump, nmap, and sudo), openSUSE (GraphicsMagick and sudo), Oracle (java-1.8.0-openjdk, java-11-openjdk, jss, and kernel), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (jss), SUSE (gcc7 and libreoffice), and Ubuntu (leading to a double-free, libsdl1.2, and tiff).

  • Grasp Docker networking basics with these commands and tips

    Docker communicates over network addresses and ports. Within Docker hosts, this occurs with host or bridge networking. With host networking, the Docker host sends all communications via named pipes. This method, however, can pose a security risk, as all traffic flows across the same set of containers with no segregation. The other approach from Docker, bridge networking, provides an internal network that connects to the external one. Use the docker network ls command to see a list of available networks. This command should return results that look similar to the output in Figure 1.

OSS: Events, WordPress and Licensing

  • Director Digital Business Solutions to kick off ApacheCon Europe in Berlin

    The European Commission, a long-time user of open source software, is strengthening its relationship with the Apache Foundation. At the Hackathon in May, the Commission brought together more than 30 developers involved in six different Apache projects. Attendees came from Croatia, Ireland, Poland and Romania, and even from Russia and the United States. At the meeting, many developers met in person for the first time. The hackathon helped the project members build connections and strengthen bonds.

  • FOSSCOMM 2019 aftermath

    FOSSCOMM (Free and Open Source Software Communities Meeting) is a Greek conference aiming at free-software and open-source enthusiasts, developers, and communities. This year was held at Lamia from October 11 to October 13. It is a tradition for me to attend to this conference. Usually I have presentations and of course booths to inform the attendees about the projects I represent. This year the structure of the conference was kind of different. Usually the conference starts on Friday with "beer event". Now it started with registration and a presentation. Personally I made my plan to leave from Thessaloniki by bus. It took me about 4 hours on the road. So when I arrived, I went to my hotel and then waited for Pantelis to go to the University and setup our booths.

  • Automattic Announces Mark Davies as Chief Financial Officer

    Automattic Inc., the parent company of WordPress.com, WooCommerce, and Tumblr, among other products, has announced that Mark Davies has joined the company as Chief Financial Officer. Davies comes to Automattic from Vivint, a $1B+ annual revenue smart home technology company, where he served as chief financial officer since 2013. The news follows Automattic's recent $300 million Series D investment round from Salesforce Ventures, and its acquisition in September of the social blogging platform Tumblr.

  • Empowering Generations of Digital Natives

    Technology is changing faster each year. Digital literacy can vary between ages but there are lots of ways different generations can work together and empower each as digital citizens. No matter whether you’re a parent or caregiver, teacher or mentor, it’s hard to know the best way to teach younger generations the skills needed to be an excellent digital citizen. If you’re not confident about your own tech skills, you may wonder how you can help younger generations become savvy digital citizens. But using technology responsibly is about more than just technical skills. By collaborating across generations, you can also strengthen all your family members’ skills, and offer a shared understanding of what the internet can provide and how to use it to help your neighborhoods and wider society.

  • How to Verify Smart Contracts on Etherscan

    You have your smart contract written, tested, and deployed. However, customers aren’t willing to do business with you unless they know the contract’s source code. After all, it could be set up in a way that’s not in their interest. Thankfully, Etherscan offers a neat tool that allows you to verify smart contracts so interested parties can see the source code and verify for themselves that everything is as it should be. While the process is simple, there are intricacies that might cause problems, especially to people not very familiar with Ethereum and the Solidity programming language.

  • Ethical Open Source: Is the world ready?

    Given its incredible popularity in the marketplace, there is no question that many software developers (and their respective companies) today see great value in using software that is subject to open source licenses. Users focus on the advantages to be had by gaining access, usually at no or minimal charge, to the software’s source code and to the thriving open source community supporting such projects. Powered by a worldwide community supporting the code base, open source code is generally perceived to be more reliable, robust and flexible than so-called proprietary software, with increased transparency leading to better code stability, faster bug fixes, and more frequent updates and enhancements. Historically the question of ethics and open source software (OSS) has mainly focussed on the goal of obtaining and guaranteeing certain “software freedoms,” namely the freedom to use, study, share and modify the software (as exemplified by the Free Software Definition and copyleft licenses such as the GPL family), and to ensure that derivative works were distributed under the same license terms to end “predatory vendor lock-in.”

Programming: SystemView, JDK, VimL and Bazel

  • New SystemView Verification Tool from SEGGER is Compatible with Windows, Linux, and macOS
  • 5 steps for an easy JDK 13 install on Ubuntu
  • Basic Data Types in Python 3: Strings
  • Excellent Free Books to Learn VimL

    VimL is a powerful scripting language of the Vim editor. You can use this dynamic, imperative language to design new tools, automate tasks, and redefine existing features of Vim. At an entry level, writing VimL consists of editing the vimrc file. Users can mould Vim to their personal preferences. But the language offers so much more; writing complete plugins that transform the editor. Learning VimL also helps improve your efficiency in every day editing. VimL supports many common language features: variables, control structures, built-in functions, user-defined functions, expressions first-class strings, high-level data structures (lists and dictionaries), terminal and file I/O, regex pattern matching, exceptions, as well as an integrated debugger. Vim’s runtime features are written in VimL.

  • Google Releases Bazel 1.0 Build System With Faster Build Performance

    Bazel is Google's preferred build system used by many of their own software projects. Bazel is focused on providing automated testing and release processes while supporting "language and platform diversity" and other features catered towards their workflow. Bazel 1.0 comes at a time when many open-source projects have recently been switching to Meson+Ninja as the popular build system these days for its fast build times and great multi-platform build support. Bazel also still has to compete with the likes of CMake and many others.

  • Bazel Reaches 1.0 Milestone!

    Bazel was born of Google's own needs for highly scalable builds. When we open sourced Bazel back in 2015, we hoped that Bazel could fulfill similar needs in the software development industry. A growing list of Bazel users attests to the widespread demand for scalable, reproducible, and multi-lingual builds. Bazel helps Google be more open too: several large Google open source projects, such as Angular and TensorFlow, use Bazel. Users have reported 3x test time reductions and 10x faster build speeds after switching to Bazel.