MacKeeper’s Remote Code Execution Vulnerability

If you have MacKeeper, you should be aware that a critical remote code execution vulnerability has been discovered in it.  Of course, if you have MacKeeper, you should also get rid of  it for a myriad of other reasons.

If you’re not quite sure what MacKeeper is, think back to all of those annoying times when a pop-up would tell you that your Mac was in desperate need of a “clean up”, and that you should really download MacKeeper this instant.  You have to close the pop-up multiple times before it goes away.  So, what is this annoyance?  It’s anti-virus software designed for Mac OSX that is meant to improve performance and security, and it is NOT an Apple product.  However, everyone I’ve ever met who has made the mistake of downloading this software, has ended up at the Apple store, trying to figure out why their computer is so slow and keeps crashing(Hint:  It gets magically better once MacKeeper is removed).  Even when you do try to remove it from your computer, you’ll discover that it tries to dig in and hold on.  In light of that, MacWorld wrote up this article on how to remove it:

Let’s talk about the vulnerability.  Braden Thomas, security researcher at SecureMac, discovered the flaw in the way MacKeeper handles custom URLs.  They allow arbitrary commands to be run as root with very little if any user interaction. Thomas appears to have a sense of humor.  In his proof-of-concept, he demonstrated how a malicious website in Safari could execute arbitrary commands by executing a command that uninstalled MacKeeper.

“Since this is a zero-day vulnerability that exists even in the latest version of MacKeeper (MacKeeper 3.4), it could affect an extremely large number of users,” according to SecureMac’s Security Advisory,”While the POC released by Mr. Thomas is relatively benign, the source code provided with the POC is in the wild and could easily be modified to perform malicious attacks on affected systems.”

So what can you do?  Well, you could uninstall MacKeeper, or you could update, since a patch has been released.
For  information on how you can prevent your organization from being breached, visit or call 714-515-4011.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *