MacKeeper Software Admits Existence of Critical Security Hole
MacKeeper is one of the security apps designed for Mac computers that you may want to pass on. The latest addition to the controversy mix is a critical vulnerability uncovered last week and acknowledged by the developers of the security app (via PCWorld).
The security hole allows hackers to execute malicious commends on Macs when visiting a specially crafted website. The main cause of the flaw is the way the security app handles custom URLs, allowing hackers to execute arbitrary commands as root with little or no user interaction.
The flaw was uncovered by security researcher Braden Thomas, who has posted a proof of concept on Twitter. The link he shared — if opened in Safari — executed an arbitrary command: removed MacKeeper from the computer.
What’s alarming is that if MacKeeper had previously prompted the user for a password during normal operation, it didn’t do so now, underscoring the fact that the command was executed as root.
While MacKeeper acknowledged the security hole and quickly issued a fix — you still need to run MacKeeper Update Tracker manually and install the latest version of the app — this major flaw doesn’t fit into the image of a security app. And if we add previous controversies such as fake security and performance-problem warnings, we get the full picture of MacKeeper. Anyway, if you are using this program, you may want to search for better alternatives.