Apple’s insistence on “notarizing” apps—even ones not downloaded from the App Store—has failed to “give users more confidence,” as Tim Cook’s crew promised. Even the most prevalent macOS malware can slip through the notarization net. Twice, in fact.
Apple confirms it had to scramble to revoke its blessing on the malware. But then it went and blessed the naughty thing again.
I’m a Mac. And I’m a PC. In today’s SB Blogwatch, we’re a Linux live CD.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Foreshortening conspiracy.
AAPL FAIL Redux
Hey, Lily Hay Newman. What’s the craic? “Apple Accidentally Approved Malware to Run on MacOS”:
In an attempt to crack down on growing threats like adware and ransomware, in February Apple began “notarizing” all macOS applications … even software distributed outside of the Mac App Store. … Seven months later, though, researchers have found … the same old payloads—and the malware has been fully notarized by Apple..
It’s not clear how Shlayer slipped past Apple’s automated scans and checks to get notarized, especially given that it’s virtually identical to past versions. … Notarization makes it much more difficult to deploy malware—or at least that’s the idea. … Still, bad actors are clearly slipping through.
As with any trust-based system, notarization can help Apple keep security pretty tight, but anything that does sneak past can then spread quickly because it has the company’s imprimatur. … Anyone not running antivirus would be out of luck.
What does Apple have to say for itself? Zack Whittaker adds—“Apple mistakenly approved a widely used malware”:
Security researchers say they have found the first Mac malware inadvertently notarized by Apple. Peter Dantini, working with Patrick Wardle … found a malware campaign disguised as an Adobe Flash installer [which] had code notarized by Apple.
A spokesperson for Apple [said] “Apple’s notarization system helps us keep malware off the Mac and allow us to respond quickly when it’s discovered. Upon learning of this adware, we revoked the identified variant, disabled the developer account, and revoked the associated certificates.”
But … the attackers were back soon after with a new, notarized payload, able to circumvent the Mac’s security all over again. Apple confirmed … it has also blocked that payload. The cat and mouse game continues.
Horse’s mouth? Patrick Wardle interrobangs it up—“malicious code now notarized!?”:
Kudos to Peter for uncovering this adware campaign, and sharing the details with me. … Malicious code targeting macOS, unfortunately, is far too common. … Apple had to take steps. … Their (most recent) answer? Code Notarization … in macOS 10.15 (Catalina).
If software has not been notarized, it will be blocked by macOS (with no option to run it). [It] seemed like a promising idea. Sadly, not all promises are kept.
Due to their notarization status, users will quite likely fully trust these malicious samples. … Notarization was supposed to “give users more confidence.” … Unfortunately a system that promises trust, yet fails to deliver, may ultimately put users at more risk [assuming] Mac users buy into Apple’s claims.
Apple (quickly-ish) revoked the Developer code-signing certificate(s) that were used to sign the malicious payloads. [But] as of Sunday (Aug 30th) the adware campaign was still live and serving up new payloads [and] still notarized. … Both the old and “new” payloads appear to be nearly identical.
All of which hurts fxtentacle, apparently:
The verification aspect was one of the core arguments that Apple [used] to argue that the App Store would be a consumer benefit and not a monopolistic extortion scheme. … But now it looks like unrelated teams are poking holes into Apple’s defense from all directions.
The resulting illusion of safety might be even more dangerous than a user who is aware of the need to be careful with stuff downloaded from the internet. … Apple is presenting the purely technical approach as good enough, thereby creating the illusion of safety when there is none.
Here come the fanbois, playing Defense. arosenfield misses the point (by a mile):
The notarization process is a purely automated process. … The fact that some malware was able to evade whatever checks Apple has for maliciousness should not be terribly surprising. … Apple will update their notarization servers to detect malware like this.
With a more measured reaction, Michael Tsai is discouraged:
This is discouraging. … OSX.Shlayer is said to be the “most prevalent” Mac malware, yet notarization didn’t catch it.
Perhaps the real benefit of notarization is not prevention but rather that it allows related binaries to be found (because Apple can search the previous submissions) and disabled sooner, before they have widely spread.
Uhh, except Apple failed to do that, seeing as a replacement was live a day or two later. @GayRobot_ doesn’t understand:
I don’t understand how an application that was not submitted by Adobe as an installer for a discontinued product gets notarized! This doesn’t instill confidence at all.
Although, Howard Oakley—@howardnoakley—is willing to wait for more info (but not for long):
Apple has questions to answer, and can’t afford to keep silent. [The official statement] only tells us what we knew already.
Time for a colorful metaphor? Proudrooster cocks his doodle-doo: [You’re fired—Ed.]
If Steve jobs were alive today, someone at Apple would be getting kicked in the ***** for approving anything that has to do with Flash Player.
Apple is falling apart. The MBAs are taking over and the techies are getting shoved into the basement or the roof.
Note to MBAs: you can only make money until the customers figure out your product is ****. You are … headed for the land of Microsoft.
Meanwhile, the news is not helping this Anonymous Coward to start buying Apple products:
I’ll continue to enjoy not paying a 30% tax to Apple for less choice.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.