MacKeeper patches remote code execution flaw

The critical vulnerability allows for remote code execution when a user visits crafted webpages.


MacKeeper has disclosed and patched a zero-day exploit which could allow for remote code execution.

Disclosed by MacKeeper on Friday after the problem was patched, the firm's security advisory says the vulnerability -- found within its custom URL scheme -- provides a tunnel for arbitrary remote code execution when a user visits a specially crafted web page.

Braden Thomas and SecureMac originally discovered the flaw. The researchers say the issue lies within the way MacKeeper handles custom URLs, which allows arbitrary commands to "be run as root with little to no user interaction required."

SecureMac released a proof-of-concept on Twitter to prove the existence of the security problem. In the example, the security researchers visited a crafted web page in Safari to run remote code and execute arbitrary commands -- in this case, being the uninstallation of MacKeeper.

Read this

15 tips for staying safe online and preventing identity theft

What are some simple tips, tricks and best-practice methods of keeping yourself and your digital identity safe from hackers?

Read More

"This flaw appears to be caused by a lack of input validation by MacKeeper when executing commands using its custom URL scheme," SecureMac says.

Apple allows apps to define custom URL schemes and register them with the OS so other programs know which app should handle the custom URL scheme.

"Normally, this is used to define a custom communication protocol for sending data or performing a specific action (for example, clicking a telephone number link in iOS will ask if the user wants to dial that number, or clicking an e-mail address link in OS X will open and compose a new message to that person)," the advisory notes.

"Apple's inter-application programming guide explicitly tells developers to validate the input received from these custom URLs in order to avoid problems related to URL handling."

On Twitter, MacKeeper was quick to reassure users, saying "we are working on the resolution of this issue and set its priority to the highest level."

As a zero-day vulnerability, the security flaw could impact a large number of users. MacKeeper claims the company's software has been downloaded over 20 million times worldwide.

"While the POC released by Mr. Thomas is relatively benign, the source code provided with the POC is in the wild and could easily be modified to perform malicious attacks on affected systems," the advisory says.

MacKeeper, developed by ZeoBIT and later sold on to Kromtech, is software meant to improve the stability and speed of Mac computers. However, a common complaint of the software is continual pop-ups and destablization of systems. If you are a user, however, MacKeeper has released a new version of the service which addresses and patches the flaw. Users of MacKeeper should find the issue automatically resolved, or they can manually install the update.

Read on: In the world of security

Read on: Fixes and Flaws