The bug could allow attackers to take over a user’s system by launching a specially crafted URL
A “critical” vulnerability in the controversial Mac security program MacKeeper could allow attackers to take over a system if the user visits a specially crafted web page.
MacKeeper said it has issued a new version of the application that fixes the issue, version 3.4.1, and urged users to update. The program is set by default to automatically download new releases.
Security researchers noted that a proof-of-concept and exploit code are publicly available, so that the issue poses an immediate danger to millions of MacKeeper users.
The vulnerability exists in the way MacKeeper handles customised web addresses, according to the company. MacKeeper registers with Mac OS X to handle its own customised URL scheme, so that the program launches whenever those URLs are run in a browser. However, the vulnerable versions don’t properly validate the input from such addresses, according to an advisory from security firm SecureMac.
As a result, such a URL can be crafted in such a way as to run arbitrary commands with the same privileges as MacKeeper, that is, with administrator privileges, researchers said.
If MacKeeper has already asked for the user’s password during the program’s normal operations, the command will be run without user interaction. Otherwise, MacKeeper will ask for the user’s password, but the dialogue box’s text can be manipulated so that the user might not know what they are authorising, MacKeeper said.
Many could be affected
SecureMac noted that the vulnerability “could affect an extremely large number of users”, since MacKeeper said recently it has surpassed 20 million downloads worldwide.
The researcher who discovered the flaw, Braden Thomas, released a proof-of-concept exploit via Twitter, including a link to the source code for the exploit, meaning that the issue would be easily exploitable by hackers. The proof-of-concept runs a command that removes MacKeeper from the system.
“There are no known cases of any security breech and the fix was created within hours of being notified,” MacKeeper said in its advisory.
MacKeeper, created by Ukrainian developer Slava Kolomiychuk, was sued in 2014 for allegedly telling users that nonexistent problems were found on their systems in order to coerce them into buying the program. The lawsuit is close to a settlement that would see MacKeeper pay $2m in refunds, without admitting fault.
Are you a security pro? Try our quiz!