Saturday, February 16, 2013

McAfee administrator creates OS X havoc by revoking the company's digital signing key

Sometimes security firms get hacked, which is somewhat humorous. Sometimes, though, they just shoot themselves in the foot, as a Thursday report showed McAfee did.

Indeed, just as with the earlier incident with Bit9, the McAfee FUBAR was an incident of its own making. A McAfee administrator accidentally revoked the digital key that McAfee used to certify desktop applications that run on Apple's Mac OS X platform.

In order to install or upgrade a McAfee product, users would have to allow untrusted certificates. That is precisely what an IT administrator said was recommended to him.
We were told that as a workaround, we should just allow untrusted certificates until they figure it out. They're telling us to trust untrusted certs, and that definitely puts us at risk.
Windows users can think of this as similar to the signing of drivers; if unsigned drivers are installed on a Windows box, the OS will ask if the user wants to allow the installation.

McAfee executive vice president of product development Barney Bryan elaborated on the issue. He said that the key was mistakenly revoked when an administrator was handling a development hardware upgrade. The administrator wanted to revoke his individual use key, but instead revoked McAfee's code-signing keys. Engineers are in the process of resigning their Mac apps with a new key, Bryan said, but until then, the only option for users is to allow untrusted certificates.

Bryan said,
It's not something we would want to tell people. That is a workaround that would work, but it's not a workaround we'd be comfortable with.
According to Apple's Worldwide developer servers, the revocation date for the key was Feb. 6. According to McAfee, though, the issue was not detected until two days ago.

The incident again shows that despite automation and technology, human beings remain the weak link in security. The Bit9 incident resulted because the company neglected to protect its own servers, forgetting to install its own software on its servers.

No comments: