MacKeeper flaw enables attacker to run code with admin rights

A serious vulnerability has been discovered with the MacKeeper utility program which would enable an attacker to encode executable instructions in a URL link.

MacKeeper mascot
MacKeeper mascot

If you are running MacKeeper on your Mac – why?

That's the question that many in the industry are asking as yet again a serious vulnerability has been discovered with this all-in-one utility program. In this case, the vulnerability would enable an attacker to encode executable instructions in a URL link.

MacKeeper was created by ZeoBIT, a Ukrainian company, and is now distributed by Kromtech Alliance Corp. It claims to be an all-in-one security package for Macs, including anti-virus and safe browsing, with tracking capabilities if your Mac is stolen, removal of junk files and other features. It claims to have been downloaded more than 20 million times in the past five years.

However, many commentators have railed against the software, claiming that it is little more than nuisance-ware and possibly far worse, with many claiming it is notoriously difficult to uninstall.

The MacKeeper vulnerability was first discovered by a security researcher, Braden Thomas, who announced it on Twitter.

A few weeks later, Sergei Shevchenko, Cyber Researcher at BAE Systems, reported that the vulnerability had been seen in the wild. “The attack this post discusses can be carried out via a phishing email that contains malicious URL,” Shevchenko wrote. “Once clicked, the users running MacKeeper will be presented with a dialogue that suggests they are infected with malware, prompting them for a password to remove this. The actual reason is so that the malware could be executed with the admin rights.”

SecureMac posted the details on its website, detailing the exploit including the proof of concept code. The risk level was described as critical for users running MacKeeper. “If MacKeeper has already prompted the user for their password during the normal course of the program's operation, the user will not be prompted for their password prior to the arbitrary command being executed as root. If the user hasn't previously authenticated, they will be prompted to enter their username and password – however, the text that appears for the authentication dialog can be manipulated as part of the exploit and set to anything, so the user might not realise the consequences of this action,” the advisory read in part.

SecureMac said it was not known if Thomas had informed MacKeeper directly, but in a reply on Thomas's Twitter, it appeared that MacKeeper staff were aware of the announcement, and the following day, SecureMac posted an update saying that MacKeeper had released a new version of the software which addressed the security issue.

The response from Kromtech, the company behind MacKeeper, appears to follow industry best practice for handling bug reports. A short statement on the MacKeeper blog confirmed the vulnerability and unveiled a fix, with a link to download the latest version. It didn't offer any details of the vulnerability nor how it was patched, but it did acknowledge Braden Thomas and SecureMac for reporting the problem.

However, industry commentators are not enamoured of the product and the company will have to do a lot more to convince them otherwise.

Gavin Reid, VP of threat intelligence, Lancope, is one security expert who shares the wider concerns about MacKeeper. “MacKeeper's reputation has been tarnished with their very aggressive marketing and affiliate campaigns. All software contains vulnerabilities and certainly this one, if severe as reported, could make users consider if they really need the software's functionality,” he said.

Meanwhile, Simon Crosby, CTO and co-founder of Bromium, feels the problem goes deeper than just MacKeeper. “The idea that any traditional operating system – OSX, Windows or Linux – can defend itself from arbitrary executable code delivered from the web, needs to be recognised as fundamentally flawed.  The only way forward is to eliminate vectors of attack by isolating the execution of untrusted content.  Micro-virtualisation achieves this goal using endpoint CPU features for virtualisation to hardware-isolate untrusted tasks, enabling the endpoint to secure itself by design.”

And conceptually, there's a problem with the way the software communicates, said another security expert. 

"Every additional piece of software installed, no matter how necessary or well-intentioned, increases the attack surface of the device," said Adam Winn, senior product manager, OPSWAT. "This is reminiscent of the Dell System Detect vulnerability exposed earlier this year. Using URLs for inter-application communication is growing in popularity, but it does increase risk."