A “critical” vulnerability in the controversial Mac security program MacKeeper could allow attackers to take over a system if the user visits a specially crafted web page.
MacKeeper said it has issued a new version of the application that fixes the issue, version 3.4.1, and urged users to update. The program is set by default to automatically download new releases.
The vulnerability exists in the way MacKeeper handles customised web addresses, according to the company. MacKeeper registers with Mac OS X to handle its own customised URL scheme, so that the program launches whenever those URLs are run in a browser. However, the vulnerable versions don’t properly validate the input from such addresses, according to an advisory from security firm SecureMac.
As a result, such a URL can be crafted in such a way as to run arbitrary commands with the same privileges as MacKeeper, that is, with administrator privileges, researchers said.
If MacKeeper has already asked for the user’s password during the program’s normal operations, the command will be run without user interaction. Otherwise, MacKeeper will ask for the user’s password, but the dialogue box’s text can be manipulated so that the user might not know what they are authorising, MacKeeper said.
SecureMac noted that the vulnerability “could affect an extremely large number of users”, since MacKeeper said recently it has surpassed 20 million downloads worldwide.
The researcher who discovered the flaw, Braden Thomas, released a proof-of-concept exploit via Twitter, including a link to the source code for the exploit, meaning that the issue would be easily exploitable by hackers. The proof-of-concept runs a command that removes MacKeeper from the system.
“There are no known cases of any security breech and the fix was created within hours of being notified,” MacKeeper said in its advisory.
MacKeeper, created by Ukrainian developer Slava Kolomiychuk, was sued in 2014 for allegedly telling users that nonexistent problems were found on their systems in order to coerce them into buying the program. The lawsuit is close to a settlement that would see MacKeeper pay $2m in refunds, without admitting fault.
Are you a security pro? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…