Sometimes, the tool that saves your computer can become a threat in itself. It would appear such has occurred with Webroot antivirus when researchers discovered a Webroot SecureAnywhere vulnerability in its Mac version. As discovered, the vulnerability could allow an attacker to execute arbitrary codes at a kernel level in MacOS.
Webroot SecureAnywhere Vulnerability Targeted MacOS
Researchers at Trustwave SpiderLabs have discovered a flaw in the Webroot Antivirus software for MacOS that could result in Kernel exploits. The “locally exploitable” Webroot SecureAnywhere vulnerability on a Mac could allow an attacker to execute arbitrary code.
The researchers have given their POC for this vulnerability in their report where they state,
“A user-controllable pointer dereference exists in the kernel driver of the Webroot SecureAnywhere solution for macOS the root cause of which is an arbitrary user-supplied pointer being read from and potentially written too. As such, the issue arms an attacker with a write-what-where kernel gadget with the caveat that the original value of the memory referenced by the pointer must be equal to (int) -1.”
However, to exploit this vulnerability, an attacker must have local access.
“Being local only, an attacker would need malware executing locally or convince a logged-in user to open the exploit via social engineering.”
Webroot Fixed The Vulnerability
It was down to a Trustwave researcher whom discovered the “Arbitrary pointer dereference and potential overwrite” vulnerability (CVE-2018-16962) on June 29, 2018. After about a month, Webroot released a patch for this flaw on July 24, 2018. However, Trustwave still took a while to publish their advisory. Regarding this delay, they explain that they sometimes take time to release technical details, meanwhile allowing vendors to patch the flaw.
With regards to the patch, Webroot stated,
“The security of our customers is of paramount importance to Webroot. This vulnerability was remedied in software version 22.214.171.124 which has been available for our customers since July 24, 2018. We have no evidence of any compromises from this vulnerability.”
Users should ensure they upgrade to version 126.96.36.199, if they haven’t already upgraded yet.