By 
A serious flaw in the famous iTerm2 macOS terminal emulator has been discovered by a Mozilla-funded security audit.
The audit was carried out by Radically Open Security, which seeks to make sure that the open source ecosystem is vigorous and safe. iTerm2 was chosen for an audit thanks to its fame and its ability to process unreliable data.
The recognized flaw has been repaired by iTerm2’s developer, George Nachman, with the issue of version 3.3.6.
Mozilla said that the fault could affect over 0.1 million users, including developers, system administrators and others that may be viewed as a treasured target to threat actors.
Tracked as CVE-2019-9535, the flaw exists in the way iTerm2 assimilates with tmux, a terminal multiplexer for Unix-like operating systems. An attacker who can provide malicious yield to the terminal could remotely perform random commands with the privileges of the targeted user.
As for the developers and system administrators, the susceptibility can represent a grave risk since that they often have elevated privileges and access to sensitive information.
Nachman clarified that the fault can be exploited using especially crafted files or malicious input. The CERT Coordination Center noted in an advisory that “potential attack vectors include connecting via SSH to a malicious server, using curl to fetch a malicious website, or using tail -f to follow a logfile containing some malicious content.”
Mozilla suggests the flaw seems to have been present in iTerm2 for at least 7 years. The organization has published a video showing an exploit in action.
“Typically this vulnerability would require some degree of user interaction or trickery; but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact,” Mozilla’s Tom Ritter explained.
