Feb 09, 2026 • Mathieu Farrell
Intego X9: When your macOS antivirus becomes your enemy
This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race...
Summary
This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns.
Published Analysis
This blog post dives into the most common classes of macOS Local Privilege Escalation vulnerabilities, from time-of-check to time-of-use (TOCTOU) Race Conditions and insecure XPC communications to a range of implementation and configuration oversights. We will explore how attackers can exploit these weaknesses to escalate privileges, and highlight real-world examples to illustrate recurring patterns. Author's note This article is part of a series of blog posts dedicated to identify vulnerabilities in third-party macOS applications. The goal is to document real-world flaws and explain the techniques used to discover and exploit them. Other examples of this series include our prior posts about ControlPlane, CCleaner, and Microsoft Teams: ControlPlane Local Privilege Escalation Vulnerability on macOS CCleaner Local Privilege Escalation Vulnerability on macOS Exploiting Microsoft Teams on macOS during a Purple Team engagement As my latest target is Intego X9, this topic will be covered over three blog posts, due to the number of issues discovered. Each part will focus on different aspects of the findings, including technical details, exploitation techniques, and the overall security implications for macOS users relying on Intego products. Introduction In modern macOS environments, threat surface extends far beyond traditional viruses. They encompass network intrusions, data corruption, performance degradation and user misuse. Intego is a security software vendor with a product portfolio that spans from antivirus, firewall, parental control, system-cleaning to optimization tools, backup solutions, and privacy/VPN utilities. In this article I present the results of research outlining identification and exploitation of several vulnerabilities that enabled compromise of all Intego applications on macOS. The vendor offers a downloadable bundle (the installation method we used). Testing shows that the vulnerabilities are exploitable whether the applications are installed individually or through the full bundle, meaning that any user running one or more of these products is at risk. Figure 1 - Apps included in the Mac Premium Bundle X9 bundle. The following descriptions are sourced from the vendor's official website . Icon Application Description VirusBarrier Mac antivirus. Protecting your Mac against Mac and cross-platform malware. NetBarrier Mac network protection. Protecting your Mac from unauthorized access. Mac Washing Machine Mac cleaner. Cleans up and speeds up your Mac. ContentBarrier Mac parental controls. Helps keep kids safe while online. Personal Backup A bootable backup for Mac. Automatically backs up all essential files. Multiple vulnerabilities were discovered and disclosed to the vendor, though only two will be discussed in detail in this blog post, the others will be published later: Intego Log Reporter Local Privilege Escalation (as root ) Intego Personal Backup Local Privilege Escalation (as root ) Intego Log Reporter Local Privilege Escalation (as root ) CVE identifier: CVE-2026-26224 The following information was obtained from Intego Support . Intego Log Reporter is a diagnostic tool bundled with each Intego application that collects detailed system and application logs as well as configuration data to help diagnose issues. When triggered, it builds a report that gathers error messages, application specific log files, user and system metadata, and then compresses all this information into a single archive ( .tgz file) that the user can send to Intego Support for analysis. Explanation of how the application works, extracted from Intego's support (PDF) . One critical component of the tool is executed with root privileges, which allows it to access sensitive areas of the macOS filesystem that standard users cannot reach. The elevated access enables Intego Log Reporter to retrieve system logs, configuration files, and diagnostic information from protected directories, providing deeper visibility for analysis and troubleshooting purposes. The information collection logic of Intego Log Reporter is implemented as a Bash script located at: /Library/Intego/commonservices.bundle/Contents/MacOS/IntegoLogReporter.app/Contents/Resources/idiagnose The main application executes the script as root to gather and read sensitive system data, including logs and Firefox profiles. However, the script writes collected data to /tmp without enforcing any security checks, which introduces a TOCTOU (time-of-check to time-of-use) race condition vulnerability. This oversight allows an unprivileged user to perform a symlink-based TOCTOU attack, allowing the attacker to write to sensitive locations like /etc/sudoers.d/ and achieve local privilege escalation as root . File: /Library/Intego/commonservices.bundle/.../IntegoLogReporter.app/Contents/Resources/idiagnose #!/bin/sh ... OSVersion = ` sysctl -n kern.osrelease | cut -f 1 -d . ` # Compose directory name. current_date = ` date "+%Y.%m.%d_%H-%M-%S" ` temp_directory =...
Linked Entities
- CVE-2026-26224
- CVE-2026-26225