14 DAY TRIAL // A vulnerability in versions of MacKeeper earlier than 3.4.1 allows a remote attacker to execute arbitrary commands with root privileges on a system running OS X.
The flaw resides in the way the program handles its custom URL scheme and can be exploited by an attacker by tricking the user into visiting a maliciously crafted webpage.
Proof-of-concept code published
Under OS X and iOS, there is the possibility for programs to register their own URL schemes, that allow them to perform certain tasks when clicking on links in webpages. One example is launching the email client and starting to compose a new message when an email address has been clicked.
Kromtech, the current developer of the product, rushed a fix on Friday, offering instructions on how the users can deploy the new version, either via the automatic update system, or by manually downloading and installing the fresh revision.
Security researcher Braden Thomas reported the glitch last week and published a proof-of-concept (PoC) that demonstrates it by removing MacKeeper from the system when the user lands on a special website.
Attackers can ask for login data under false pretenses
According to an advisory from SecureMac released last week, at the root of the problem is insufficient validation of the commands executed by MacKeeper using its custom URL scheme.
“If MacKeeper has already prompted the user for their password during the normal course of the program's operation, the user will not be prompted for their password prior to the arbitrary command being executed as root,” the advisory says.
Alternatively, if there is no prior authentication, users are asked to enter their username and password. However, the credentials can be asked under different pretexts created by the attacker, so the true intention is hidden and the rogue commands are executed with root privileges.
The number of users potentially impacted by the vulnerability is not known, but as of March 24, 2015, MacKeeper has been downloaded more than 20 million times.
The program provides a suite of tools designed to eliminate performance bottlenecks on the system and to maintain its security state. However, there are reports on the web questioning both the application's benefits and the promotion practices used by its developers.