Pop-up pest MacKeeper patches 0-day remote code execution vuln

URL-handling leaves users well and truly rooted

Skull image

A notorious piece of Mac maintenance software been found to have a critical remote code execution vulnerability.

MacKeeper is infamous for its “clean up your Mac”-style popups, complete with designed-to-be-confusing "Leave Page/Stay on This Page” dialogues if you try to close the ad.

News that the company behind the pestware has a vulnerability will therefore amuse Mac users annoyed by the publisher's advertising.

The company's announcement identifies its custom URL scheme as the culprit. The bug is explained further here at SecureMac.

That post explains the discovery by researcher Braden Thomas: MacKeeper handles custom URLs in a way that allows commands to be run as root, with “little to no user interaction” required.

If the user has already provided their password to MacKeeper, commands will be run as root without the user being asked again.

“If the user hasn't previously authenticated, they will be prompted to enter their username and password” – which given the depressing state of user awareness, many would provide – “however the text that appears for the authentication dialogue can be manipulated as part of the exploit … so the user might not realise the consequences of this action”.

His proof-of-concept demonstrated the behaviour with a custom web page presented to Safari – and with a little schadenfreude, perhaps, Thomas' PoC uninstalls MacKeeper.

At the time SecureMac wrote its post, the bug was still a zero-day, but since the MacKeeper has released an update, Version 3.4.1, which revises the custom URL scheme.

“There are no known cases of any security breech [sic] and the fix was created within hours of being notified”, the company wrote. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019