Intego macOS Antivirus Update Daemon Vulnerable to Local Privilege Escalation via XPC PID Reuse
What Happened — Researchers at Quarkslab disclosed a local privilege escalation (LPE) flaw in the com.intego.netupdated daemon, a privileged component of Intego’s macOS security suite. The vulnerability stems from insecure XPC communication that trusts process IDs, allowing an unprivileged user to gain root‑level code execution.
Why It Matters for TPRM —
- LPE in endpoint‑security software can undermine the entire host’s security posture, exposing downstream data and services.
- Attackers can bypass existing endpoint controls, rendering other vendor‑provided protections ineffective.
- The flaw highlights the risk of inadequate validation in third‑party security agents that are widely deployed across enterprises.
Who Is Affected — macOS environments that run Intego’s antivirus/anti‑malware products (enterprise laptops, BYOD fleets, managed workstations).
Recommended Actions —
- Verify whether any Intego products are deployed in your environment.
- Apply any patches or configuration mitigations released by Intego immediately.
- Conduct a short‑term audit of privileged daemons on macOS endpoints for similar XPC mis‑configurations.
- Update your endpoint‑security vendor risk assessments to reflect the elevated LPE risk.
Technical Notes — The daemon com.intego.netupdate runs as root and registers a Mach service com.intego.netupdate.daemon.agent. It authorizes requests based on PID reuse, enabling a TOCTOU race condition that bypasses XPC authentication. Exploitation grants arbitrary code execution as root. No CVE number assigned at time of writing. Source: Quarkslab Blog