
Apple Accidentally Approved Malware to Run on macOS - 1cvmask
https://www.wired.com/story/apple-approved-malware-macos-notarization-shlayer/
======
jibcage
Since the whole point of notarization is to give Apple the power to revoke
malicious binaries on its system after-the-fact, this seems like it works by
design, no? Apple quickly revoked the notarization once they were alerted of
the malware.

Otherwise Apple would have to scan every single binary submitted for
notarization, which then puts a pretty large onus on them should anything slip
through.

~~~
Karliss
If Apple didn't want scan every binary submitted for notarization then they
didn't need to introduce the notarization. They already had the means to
revoke malicious binaries after-the-fact by revoking the corresponding
developer certificate. The main difference with notarization is that it forces
binaries to be submitted to Apple early for inspection in comparison with
signing using developer certificate which happens locally.

~~~
natcombs
Wouldn’t you also want the ability to revoke just certain binaries? Let’s say
a large company like Microsoft accidentally somehow got malware on their Excel
app, you wouldn’t want to terminate the dev cert because that would also
cancel Outlook, Word, PowerPoint, etc

~~~
flohofwoe
If I'm not mistaken you can create as many code signing certificates as you
want, so it makes sense to sign each application with its own certificate. Of
course this wouldn't help when Apple "kills" the entire developer account I
guess.

~~~
judge2020
Nope, you can only generate 5 Developer ID Application certificates for the
lifetime of your Developer account. It's a real pain to get another one, I had
lost all of mine (didn't have a real Mac, so was using various temporary
Hackintosh and KVM installs) and it took 2 months of emails to both Developer
support and the Security team to get another one issued [and backed up].

~~~
EricE
It took you five times before you learned to make backups? Woah.

~~~
captainredbeard
That's a bit condescending. The signing stack is very complicated and folks
often make mistakes when attempting to back up (export) the correct private
key and certificate pair.

------
gregoriol
Those news about Apple approving malware are so wrong: the notarization is not
an approval, it's more like a registration.

It would be news if it was on the App Store, which has a review.

~~~
shakna
> The Apple notary service is an automated system that scans your software for
> malicious content, checks for code-signing issues, and returns the results
> to you quickly. [0]

Apple seem to be saying that it is more than a registration process. Not
passing a human review would be bigger, but it is a review of a kind.

[0]
[https://developer.apple.com/documentation/xcode/notarizing_m...](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution)

------
simondotau
I'm confused, when did Apple "approve" anything? The notarisation software
isn't a review process.

~~~
flohofwoe
What else is the scanning of an uploaded executable than an (automated) review
process though? The notarization process wouldn't be needed to implement a
"kill-switch" for executables by revoking the certificate (code signing with
an Apple certificate was required long before notarization). If anything, the
notarization creates an illusion of security for the user which might be worse
than an unsigned executable (because at least an unsigned exe looks shady
right from the start, but a notarized exe _had_ been scanned by Apple so it's
ok to run, right?)

~~~
coldtea
> _What else is the scanning of an uploaded executable than an (automated)
> review process though?_

It's a pass of checks that might or might not find something.

It's not some official stamp of approval, except to say "those checks passed
ok".

~~~
rowanG077
"Those checks passed ok" is an approval in itself. The notarization process
has the outcome of either being approved or being denied. Approved means
"officially agreed or accepted as satisfactory.".

~~~
manicdee
When a Justice of the Peace notarises a piece of documentation, they are not
vouching for authenticity they are only voicing for certain claims made: the
document was presented on a certain date, and/or that this copy is an accurate
facsimile of the provided original.

Notarisation for macOS similarly only means, “the developer presented us with
their application and their certificate of authenticity and we signed it with
the certificate that allows macOS to run it without complaining.”

There’s no attempt by Apple to claim that the application is safe or does what
it says on the tin.

Scanning for malware is simply to avoid embarrassing situations me an
author/publisher finding they’ve been compromised by some well known malware.

The outcome of notarisation is that the app has been notarised.

It’s like claiming that the outcome of toasting a sandwich is approval or
rejection, no the outcome of toasting a sandwich is you have a sandwich that
is toasted, aka “toasted sandwich.”

You might reject a sandwich which isn’t built properly (eg: has mismatched
bread slices, is missing contents or smells of dynamite). But toasting the
sandwich provided by the customer doesn’t mean you actually like it.

~~~
rowanG077
> There’s no attempt by Apple to claim that the application is safe or does
> what it says on the tin.

So that isn't part of the notarization process. It still was approved by Apple
and thus was notarised.

> It’s like claiming that the outcome of toasting a sandwich is approval or
> rejection, no the outcome of toasting a sandwich is you have a sandwich that
> is toasted, aka “toasted sandwich.”

That's disingenuous. If I send a Sandwich to be toasted by Apple and get it
back toasted that means the Sandwich was indeed approved by Apple since it has
been toasted.

~~~
ziml77
If I set up a toasting service and you sent me a ham and cheese sandwich
spread with Nutella, you're going to get it back toasted. That doesn't mean
that I approve of that nasty sandwich filling though.

~~~
rowanG077
Then you should not toast it.

------
freeAgent
Apple created a process whereby applications are run through automated checks
for malware in order to be approved for installation on MacOS by the public.
The title is accurate. The process isn’t perfect, but human review isn’t
perfect either. One issue this brings up is the false sense of security that
review and approval processes such as this create among users.

------
dessant
It's astonishing that the developer community is fine with requiring open
source projects to pay $99/yr for notarization to run on macOS. Malware
authors will happily pay the developer account fees, as seen here, while open
source projects are seriously hindered.

It should be possible to verify developers and distribute open source apps
without a cost on macOS.

~~~
jmull
$99/year is such a small amount relative to the costs of software development
that it's hard to worry about. Meanwhile, there is good value. (The developer
resources Apple provides are not free.)

You can argue that Apple should provide developer resources at no cost, but
that just means someone else is paying for them or you will pay them in some
other way... or do without.

I think at this point in the tech boom we can all understand that when a
company gives you stuff of value at no cost there are significant tradeoffs
and paybacks. In software development, I think you want most arrangements to
be straightforward transactions. The strings attached to no-cost things tend
to build up and cause problems, especially if you have success.

Edit: I struck a nerve, but I don't think this should be very controversial.
I'll try to take the objections one at a time in comments.

~~~
Someone1234
> $99/year is such a small amount relative to the costs of software
> development that it's hard to worry about

Huh? Some Open Source/Free software have a $0 budget.

~~~
jmull
Software development typically requires at least a computer (a Mac for MacOS
and iOS development), internet service, and electricity.

Dwarfing those, though, is the significant time software development takes.
For OSS, the time is donated, whether by individuals or by corporate sponsors
who sometimes dedicate employee hours to projects of particular value to them.
But in either case the donator has to be in a position to afford it, which
typically means significant income from other means.

~~~
traib
> But in either case the donator has to be in a position to afford it, which
> typically means significant income from other means.

Even if someone has the time and resources to contribute to OSS, it does not
automatically follow that they should be willing to spend said time and
resources on notarization (of all things).

Put another way, not every purchase is worthwhile just because you have a
million dollars in the bank.

------
webwielder2
They even gave Apple a head start by disguising it as Flash.

------
diebeforei485
Notarization doesn't actually review the software. It's just a financial and
technical barrier to reduce (not absolutely prevent) the spread of mutant
versions of malware.

------
cblconfederate
The title is not justified. Nowhere in the text is it proven that it was
approved by accident. It might have been an employee acting with malice
aforethought

~~~
lapcatsoftware
Notarization is an automated process. There's no human involved.

~~~
cblconfederate
ah then the title is completely false

~~~
lapcatsoftware
It's automated approval...

~~~
cblconfederate
... which is neither approval nor accidental

~~~
SyneRyder
Maybe "erroneously" is a better word than accidentally. That's the word Apple
used when apologizing to Charlie Munroe for their automated systems revoking
his Apple Developer ID and remotely disabling his published Mac apps:

 _" We determined that your app Downie 4 was erroneously identified as
malicious due to invalid logic in our malware detection system. This triggered
the revocation of your certificate under Section 5.4 of the Developer Program
License Agreement."_

[https://blog.charliemonroe.net/a-day-without-
business/](https://blog.charliemonroe.net/a-day-without-business/)

