A controversial piece of security and maintenance software for Mac OS X computers, known as MacKeeper, has been found to be vulnerable to a critical remote code execution vulnerability.
MacKeeper antivirus software for Mac OS X is designed to improve Mac performance and security, but it is infamous for its noisy "clean up your Mac" pop-under ads that stress the need for a system cleanup. If you try to close the ad, the software will prompt you to "Leave Page/Stay on This Page" dialogues.
The vulnerability details were disclosed on Friday after the patch release, which allows an attacker to execute remotely malicious commands with root privileges on Mac OS X systems when a victim visits specially crafted Web pages.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
MacKeeper Versions Earlier to 3.4.1 are Affected
The remote code execution flaw, affecting the versions earlier to 3.4.1, caused due to the way MacKeeper malware removal software handles its custom URLs, security researchers at SecureMac explained in an advisory.
A remote attacker tricking the victim into visiting a maliciously crafted web page could exploit the flaw and execute arbitrary code with root privilege on the compromised system, with "little to no user interaction" required.
Proof-of-Concept Exploit Released
Security researcher Braden Thomas Posted reported the glitch last Thursday with a proof-of-concept (PoC) exploit that demonstrates the attack in action.
The proof-of-concept exploit published by Thomas on Twitter takes advantage of a lack of input validation by MacKeeper and automatically executes a command to uninstall MacKeeper from the system when the victim lands on a malicious web page.
"If the user hasn't previously authenticated, they will be prompted to enter their username and password" the advisory states, "however the text that appears for the authentication dialogue can be manipulated as part of the exploit … so the user might not realise the consequences of this action."
Vulnerability Patched, Update Released
At the moment SecureMac exposed the details of the glitch, the vulnerability was still zero-day, however since the developers of MacKeeper has released an update, MacKeeper Version 3.4.1, patching the custom URL scheme.
MacKeeper malware removal software has been downloaded more than 20 Million times, which is an enormous number. Therefore in order to be safe, run MacKeeper Update Tracker and install the latest version of MacKeeper, version 3.4.1 or later.
So far, it isn't clear that how this critical vulnerability potentially impacts many users, however, MacKeeper confirmed its users that the company is not aware of any security breach exploiting this vulnerability.