iMyFone LockWiper

iMyFone LockWiper

Helps you bypass the iPhone passcode in case you forgot it and the device became unusable or you have to wait for a long time before attempting to unlock it again

FULL VERSION + CRACK
Voicemod

Voicemod

Real-time voice changer that works with any application and comes equipped with an extensive collection of voices and ambient effects

FULL VERSION + CRACK
Flvto Youtube Downloader

Flvto Youtube Downloader

With this simple and intuitive application, you can swiftly download all your favorite online videos to your computer, in just a couple of moves

FULL VERSION + CRACK
Logic Pro X

Logic Pro X

A fully-featured recoding studio that provides a complete set of tools for musicians who need to write, record, edit and mix music

FULL VERSION + CRACK
Internet Download Manager (IDM)

Internet Download Manager (IDM)

Push your Internet connection to the limits and cleverly organize or synchronize download processes with this powerful application

FULL VERSION + CRACK

IT News

Nov 15
The newly discovered Pipka script can delete itself from a website after execution, making it very difficult to detect.
Nov 15
Jamf has built a unique event that digs deep into the community it serves and echoes the big shows Apple used to put on.
Nov 15
Enterprises will soon have access to Azure Arc and Azure Synapse Analytics, two new services that bolster Microsoft's cloud offerings.
Nov 15
The latest version of Windows 10 is little more than a rerun of the May version of the operating system, though it does offer a few new features.
Nov 14
On the same day it unveiled its newest laptop, the company also announced that the new Mac Pro will ship in December.
Nov 13
The software, initially designed to help IT teams track and resolve service requests, can now be configured for use in non-tech areas such as HR and legal.
Nov 13
IBM, which has embraced Apple hardware in a big way, says the employees who use Macs are more likely to stay at the company - and are more productive. The insights came at this weeks Jamf Nation User Conference.

Categories

Critical remote code execution flaw fixed in popular terminal app for macOS

A security audit sponsored by Mozilla uncovered a critical remote code execution (RCE) vulnerability in iTerm2, a popular open-source terminal app for macOS. The flaw can be exploited if an attacker can force maliciously crafted data to be outputted by the terminal application, typically in response to a command issued by the user.

ITerm2 is an open-source alternative to the built-in macOS Terminal app, which allows users to interact with the command-line shell. Terminal apps are commonly used by system administrators, developers and IT staff in general, including security teams, for a variety of tasks and day-to-day operations.

The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies.

"MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators)," Mozilla said in a blog post announcing the newly discovered vulnerability.

The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen.

Many ways to exploit iTerm2 vulnerability

To exploit the vulnerability, attackers need to produce specially crafted output to the user's terminal, and this can be done in many ways--for example, if the user is connected to an attacker-controlled SSH server, if they use the curl command to parse an attacker-controlled URL, or if they open a local file where the attacker was able to place data, like a web server log.

Successful exploitation can result in arbitrary command execution on the user's machine, which means that the vulnerability enables remote command injection attacks. "Typically, this vulnerability would require some degree of user interaction or trickery, but because it can be exploited via commands generally considered safe there is a high degree of concern about the potential impact," Mozilla said.

The flaw was fixed in iTerm2 version 3.3.6, which was released today, and users are advised to update as soon as possible. By default, the application should notify users that a new version is available. The app's developer, George Nachman, worked closely with Radically Open Security, the company that conducted the audit for MOSS, to develop a patch for the vulnerability.

The processing of untrusted data is one of the most common sources of vulnerabilities in applications. For many apps, including iTerm2, this attack vector cannot be avoided because connecting to and loading files from remote servers is one of their main features. When remote code execution flaws are found in such apps, deploying patches as soon as possible is critical because they are a favorite target for attackers.

This story, "Critical remote code execution flaw fixed in popular terminal app for macOS" was originally published by CSO.