Language Selection

English French German Italian Portuguese Spanish

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

Packt Hub's Vincy Davis reports

  • Mozilla’s sponsored security audit finds a critical vulnerability in the tmux integration feature of iTerm2

    Yesterday, Mozilla announced that a critical security vulnerability is present in the terminal multiplexer (tmux) integration feature in all the versions of iTerm2, the GPL-licensed terminal emulator for macOS.

    The security vulnerability was found by a sponsored security audit conducted by the Mozilla Open Source Support Program (MOSS) which delivers security audits for open source technologies. Mozilla and the iTerm2’s developer George Nachman have together developed and released a patch for the vulnerability in the iTerm2 version 3.3.6.

Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

  • Critical iTerm 2 Bug Patched after Mozilla-Backed Audit

    A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security bug in iTerm2: a popular open source alternative to Apple’s Terminal — which provides a command line interface to control the UNIX-based operating system sitting below macOS.

    Mozilla, iTerm2’s developers and Radically Open Security, the not-for-profit security company contracted to probe iTerm2’s security, have urged users to update the software, which has now been patched. The issue had been sitting in the open (hopefully) unnoticed for approximately seven years, they said.

Critical remote code execution flaw fixed

  • Critical remote code execution flaw fixed in popular terminal app for macOS

    A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

Critical 7-year-old flaw in open-source macOS app iTerm2

  • Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

    Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.

    "An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes.

iTerm2 issues emergency update

  • iTerm2 issues emergency update after MOSS finds a fatal flaw in its terminal code

    The author of popular macOS open source terminal emulator iTerm2 has rushed out a new version (v3.3.6) because prior iterations have a security flaw that could allow an attacker to execute commands on a computer using the application.

    The vulnerability (CVE-2019-9535) was identified through the Mozilla Open Source Support Program (MOSS), which arranged to audit iTerm2 under its remit to review open source projects for security problems. A third-party security biz, Radically Open Security, performed the audit.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Best Torrent Clients for Linux

This article will cover various free and open source Torrent clients available for Linux. The torrents clients featured below have nearly identical feature sets. These features include support for magnet links, bandwidth control tools, tracker editing, encryption support, scheduled downloading, directory watching, webseed downloads, peer management, port forwarding and proxy management. Unique features of individual torrents clients are stated in their respective headings below. Read more

Audiocasts/Shows: Adding And Removing Swap Files Is Easy In Linux, Linux Action News, Open Source Security Poscast

  • Adding And Removing Swap Files Is Easy In Linux
  • Linux Action News 155

    We try out the new GNOME "Orbis" release and chat about Microsoft's new Linux kernel patches that make it clear Windows 10 is on the path to a hybrid Windows/Linux system. Plus, the major re-architecture work underway for Chrome OS with significant ramifications for Desktop Linux.

  •        
  • Open Source Security Poscast Episode 216 – Security didn’t find life on Venus

    Josh and Kurt talk about how we talk about what we do in the context of life on Venus. We didn’t really discover life on Venus, we discovered a gas that could be created by life on Venus. The world didn’t hear that though. We have a similar communication problem in security. How often are your words misunderstood?

Matthias Clasen: GtkColumnView

One thing that I left unfinished in my recent series on list views and models in GTK 4 is a detailed look at GtkColumnView. This will easily be the most complicated part of the series. We are entering into the heartland of GtkTreeView—anything aiming to replace most its features will be a complicated beast. Read more Also: Oculus Rift CV1 progress

AMD and Intel (x86) in Linux

  • Linux 5.10 Adding Support For AMD Zen 3 CPU Temperature Monitoring

    The next version of the Linux kernel will allow monitoring temperatures of the upcoming AMD Zen 3 processors. While CPU temperature monitoring support may seem mundane and not newsworthy, what makes this Zen 3 support genuinely interesting is that it's coming pre-launch... This is the first time in the AMD Zen era we are seeing CPU temperature reporting added to the Linux driver pre-launch. Not only is it coming ahead of the CPUs hitting retail channels but the support was added by AMD engineers.

  • FFmpeg Now Supports GPU Inference With Intel's OpenVINO

    Earlier this summer Intel engineers added an OpenVINO back-end to the FFmpeg multimedia framework. OpenVINO as a toolkit for optimized neural network performance on Intel hardware was added to FFmpeg for the same reasons there is TensorFlow and others also supported -- support for DNN-based video filters and other deep learning processing.

  • Intel SGX Enclave Support Sent Out For Linux A 38th Time

    For years now Intel Linux developers have been working on getting their Software Guard Extensions (SGX) support and new SGX Enclave driver upstreamed into the kernel. SGX has been around since Skylake but security concerns and other technical reasons have held up this "SGX Foundations" support from being mainlined. There has also been an apparent lack of enthusiasm by non-Intel upstream kernel developers in SGX. This past week saw the 38th revision to the patches in their quest to upstreaming this support for handling the Memory Encryption Engine (MEE) and relates SGX infrastructure. [...] The Intel SGX foundations v38 code can be found via the kernel mailing list. The Linux 5.10 merge window is opening up next month but remains to be seen if it will be queued for this next cycle or further dragged out into 2021.

  • Intel SGX foundations
    Intel(R) SGX is a set of CPU instructions that can be used by applications
    to set aside private regions of code and data. The code outside the enclave
    is disallowed to access the memory inside the enclave by the CPU access
    control.
    
    There is a new hardware unit in the processor called Memory Encryption
    Engine (MEE) starting from the Skylake microacrhitecture. BIOS can define
    one or many MEE regions that can hold enclave data by configuring them with
    PRMRR registers.
    
    The MEE automatically encrypts the data leaving the processor package to
    the MEE regions. The data is encrypted using a random key whose life-time
    is exactly one power cycle.
    
    The current implementation requires that the firmware sets
    IA32_SGXLEPUBKEYHASH* MSRs as writable so that ultimately the kernel can
    decide what enclaves it wants run. The implementation does not create
    any bottlenecks to support read-only MSRs later on.
    
    You can tell if your CPU supports SGX by looking into /proc/cpuinfo:
    
    	cat /proc/cpuinfo  | grep sgx