Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Second MacKeeper security flaw found, being actively exploited

Second MacKeeper security flaw found, being actively exploited
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 25, 2015, 05:43 PM
Users of controversial utility software MacKeeper who are not up-to-date on the latest version are vulnerable to a serious security flaw that can trick users into passing their admin passwords onto attackers, thus leaving the Mac vulnerable to a complete remote takeover. Though the problem has been fixed in version 3.4.1 of the much-maligned "cleanup" utility, the flaw is being actively exploited in the wild by attackers preying on users who have not updated.

Earlier versions of MacKeeper offered a Remote Code Execution (RCE) backdoor that allowed hackers to inject code redirecting the program to an infected webpage hosting malware known as OSX/Agent-ANTU, which would then use a single line of JavaScript to produce a fake malware report that looks like it comes from MacKeeper, requesting the user's administrative login credentials.

Once obtained, the attacker could then install a bot program to collect system details, and execute commands remotely. Attacks "in the wild" were spotted just a few days after the initial proof-of-concept and documentation of the flaw were published. Because many of the company's 20 million users were enticed to download the program through "scareware" ads or other aggressive sales tactics, they may be loathe to update -- or believe the program has been removed, when in fact it is exceedingly difficult to remove completely, leaving the host Mac still vulnerable to the attack.

An investigation of the software by Mac-Forums found that it did do some of the advertised functions, but that everything the program did that was beneficial could also be done by a range of either built-in Mac utilities or free third-party programs that do not rely on "scareware" tactics. The analysis of the program found that while it was not itself malicious in nature, it was poorly executed even in its advertised functions, and when one added the extortionate fear-based advertising, poor product support, and deliberately-obtuse full removal difficulty, was a poor choice compared to excellent free third-party or Apple-included utility apps.

This is the second serious security flaw to be found in the program in as many months; an earlier flaw was discovered last month, which was caused by MacKeeper's ignoring of an Apple guideline regarding input validation for custom URLs -- the same technology that allows Mac and iOS users to tap on a phone number or date to launch a given application, or to create non-standard URLs such as direct iTunes links. Apple cautions developers that they must use input validation to be sure that the chosen URL is legit and not a specially-crafted malicious site, but MacKeeper's developers apparently disregarded that, creating a zero-day exploit that could wreak havoc if users accidentally click on a malicious URL.

Instructions on how to fully remove MacKeeper can be found here. MacNN recommends that users avoid this and future issues by uninstalling the program completely. Readers may occasionally see ads for the product on MacNN, due to our keyword-based advertising system and the distributor's aggressive ad buying, but it is emphatically not endorsed by the editorial staff of MacNN, who are independent of the advertising aggregators we use to support the site.
Fresh-Faced Recruit
Join Date: Aug 2001
Status: Offline
Reply With Quote
Jun 26, 2015, 01:16 AM
The biggest flaw in the software is their marketing. They are the kings of pop-under ads. The single most annoying spammer I know.
Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
Jun 26, 2015, 06:46 AM
Senior User
Join Date: Sep 2001
Location: in front of my computer
Status: Offline
Reply With Quote
Jun 26, 2015, 08:57 AM
input validation is one of the most basic security measures... I wish the people responsible for MacKeeper could be thrown in prison for a year or two. I don't think they even had to cough up all or most of the profit they made from their grift.
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jun 26, 2015, 10:01 AM
Don't forget the class action suit settlement offer!

MacKeeper developers facing class-action suit, $2M payout proposed | MacNN
Fresh-Faced Recruit
Join Date: Dec 2008
Status: Offline
Reply With Quote
Jun 26, 2015, 12:00 PM
Mackeeper is malware plain and simple. It attracts the garbage and puts it on your system. It slows your system down. If you have installed it throw it in the trash from your applications folder. It should then prompt you to uninstall it. You don't need this software because it does nothing for you period. Another piece of trash to get rid of is TuneUpMyMac. This one is even worse than Mackeeper as it will crash apps like Safari and then ask you for $100 to fix it. Actually TuneUpMyMac application is the cause for the crash so it you have installed this software trash it immediately! Restart and you will notice that your Safari now works again. Amazing.
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Privacy Policy
All times are GMT -4. The time now is 06:56 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,