A critical vulnerability has been discovered in the popular iTerm2 application, an open source terminal emulator program designed to replace the default Apple Terminal in macOS.
iTerm2 often finds its way into lists of some of the best software to install on a Mac. It is especially popular with power users as a result of its many features and highly customizable nature. One of these features, the tmux integration mode, is responsible for this vulnerability, and it has existed in iTerm2 for at least seven years, according to the Mozilla Open Source Support Program.
Identified as CVE-2019-9535, the vulnerability affects iTerm2 versions prior to and including 3.3.5. This critical vulnerability allows an attacker to execute arbitrary commands on the victim’s computer in any situation in which attacker-controlled content is output to the terminal.
Many common everyday tasks can be a source of compromise, including viewing log files or opening specially crafted documents while in the iTerm2 terminal. This makes CVE-2019-9535 an especially dangerous vulnerability. Not only that, but specific use of the tmux integration is not required to successfully exploit this security weakness.
Users are strongly urged to update their iTerm2 installations in order to remedy this vulnerability. Reflecting on the relative ease with which attackers can achieve a compromise, not to mention the prolific use of iTerm2 among significant targets such as system administrators and developers, I’d say users should implement this fix sooner rather than later.
The non-vulnerable version can be applied using the “Check for Updates” menu item. This feature should reflect a version of 3.3.6 or greater. Depending on your current installed version, you may need to check for updates and install them multiple times in order to obtain the patched version.