Vulnerability for remote code execution in terminal emulator iTerm2 fixed

A serious security vulnerability in iTerm2 has been patched. That is a popular terminal emulator for macOS that is widely used by software developers. The vulnerability would have been in the program for at least seven years.

The vulnerability was discovered by the Mozilla Open Source Support program, which described it in a blog post. The security flaw allowed attackers to execute commands on users’ computers in many cases. Mozilla writes that the vulnerability “requires some form of user interaction or deception,” such as a phishing attack. The vulnerability is known as CVE-2019-9535.

Despite this, the researchers say the potential impact is large if someone exploits the vulnerability. The exploit allows you to execute commands that are normally considered safe. For example, users can accidentally request a malicious URL via the cURL command, or inadvertently connect to a command-and-control server via ssh.

An update that fixes the vulnerability is now available to all users. The fix is ​​in version 3.3.6, which was published at the same time as Mozilla’s blog post. Eventually, iTerm2 will prompt users with the update, but currently the update has to be done manually.

The leak was discovered by researchers at Radically Open Security, which initiated the audit on behalf of Mozilla. The Mozilla Open Source Support program has been in existence since 2015. In 2016, Mozilla started the Secure Open Source Fund, also known as SOS Fund. Mozilla finances the security audits of open source projects through this fund. With this, the team behind Firefox hopes to prevent new security incidents such as Heartbleed, shellshock and other branded bugs.