Shirt Pocket SuperDuper! Arbitrary Code Execution Vulnerability via Software Update Mechanism

A vulnerability allowing local attackers to execute arbitrary code has been identified in Shirt Pocket SuperDuper! versions through 3.10. This issue arises from the software update mechanism, which can be manipulated to install unauthorized packages. The vulnerability exploits the fact that, although the SuperDuper! installer package is signed and notarized, macOS's package installer does not verify this notarization, potentially allowing a malicious program to gain administrator access.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code with elevated privileges, allowing a malicious actor to execute arbitrary commands or programs as an administrator on the affected system.

Reproduction

The vulnerability can be reproduced by initiating a software update for SuperDuper! version 3.10 or earlier. When the update is processed through the macOS package installer, the notarization check is bypassed, creating an opportunity for a local attacker to intercept the update and execute arbitrary code with administrative privileges.

Remediation

Users are advised to update to SuperDuper! version 3.11, which is available for download from the Shirt Pocket website. After updating, users should disable automatic updates in the SuperDuper! preferences to prevent the application from attempting to update to a vulnerable version.