MacKeeper 0-day flaw more than 20 million users affected

If you are a Mac user and not using MacKeeper, you probably seen it in some pop-under ads on spam or porn websites as advertisement and their infamous “Leave Page/Stay on This Page” dialogue, no wonder it been affected by 0-day emoemote code execution flaw considering what kind of ads campaigns they use for promotion…

MacKeeper 3.4.1 and earlier are affected, the way it handles custom URLs in a specific way that could allow hackers to run commands as a root user, with little of user interaction which is required.

Security Researcher Braden Thomas has published proof-of-concept (POC) and demonstrated how he executed arbitrary commands by visiting crafted webpage in safari, the command itself was designed to uninstall MacKeeper when executing commands using its custom URL, if the user has already provided his personal password to MacKeeper anti-virus, command will be run as root without any additional steps, however if user did not provide password they will be prompted to enter their credentials, which comes to the question as many users would provide their username and password so the users would not realise the consequences.

So, feel free to share this PoC around: http://t.co/zYW4z7RIFd. Runs "rm -rf /Applications/MacKeeper.app". Source: http://t.co/4sHg2dH6Ca

— Braden Thomas (@drspringfield) May 7, 2015

At this time vulnerability has been patched and update released, make sure to run MacKeeper Update and install the latest version 3.4.1 or latest, so far it isn’t clear how big impact had on it users, so far Kromtech the European investment company that stand behind MacKeeper did not confirm neither is aware of any cyber breach exploiting this security flaw.

Risk: Critical (for OSX users using MacKeeper anti virus )

Alternative to MacKeeper:

AVG – Antivirus (free) combining with Clean My Mac 3 (paid + free trial)