MacKeeper, well known to Mac OS X users for its noisy pop-under ads stressing the need for a system cleanup, has patched a critical remote code execution vulnerability.
The software is a utility that is marketed as capable of improving Mac performance and security. The vulnerability was disclosed on Friday after it was patched.
Researchers at SecureMac said the flaw is in the software utility’s URL handler implementation. An attacker luring a victim to a malicious webpage could exploit the vulnerability and run code on the compromised machine, if the user is authenticated to the utility.
Braden Thomas, a researcher, posted a link last Thursday to his proof-of-concept exploit on Twitter. The flaw occurs in the way MacKeeper 3.4 and earlier handles custom URLs; an attacker is able to run commands as root with minimal user interaction. Thomas’ proof-of-concept exploit takes advantage of a lack of input validation by MacKeeper, Secure Mac said.
“At this time it is not known if Mr. Thomas reached out to MacKeeper prior to publication of the vulnerability, but this is likely a zero-day exploit,” SecureMac said in its advisory.
OS X and iOS apps are able to define and register custom URL schemes so that the respective OSes know which app should handle which scheme.
“Normally, this is used to define a custom communication protocol for sending data or performing a specific action (for example, clicking a telephone number link in iOS will ask if the user wants to dial that number, or clicking an e-mail address link in OS X will open Mail.app and compose a new message to that person),” the SecureMac advisory said. “Apple’s inter-application programming guide explicitly tells developers to validate the input received from these custom URLs in order to avoid problems related to URL handling.”
MacKeeper reportedly has 20 million users worldwide, the company said; the software has an automatic update function, so most users are likely to be patched against this issue.
“While the POC released by Mr. Thomas is relatively benign, the source code provided with the POC is in the wild and could easily be modified to perform malicious attacks on affected systems,” SecureMac said.
MacKeeper said it is not aware of any attacks exploiting this vulnerability, and that it patched the issue within hours of being notified.