![]() Patrick has found a workaround, and has already updated Objective-See’s invaluable signature-checking tool What’s My Sign?, which shouldn’t now succumb to this spoofing. Malware which exploits this vulnerability could therefore pass this stage of their checks. However, the flawed function is used by most, perhaps all, other anti-malware tools. MacOS Gatekeeper doesn’t appear to be affected by this, so it should still return reliable results. It is possible for a malware author to trick this function into returning a successful result, claiming that there is a valid certificate from Apple, although there is nothing of the kind. The call succeeds if all these conditions are satisfactory. It validates the code against a code requirement if one is specified. It checks the validity of all sealed components, including resources (if any). This function obtains and verifies the signature on the code specified by the code object. Apple’s description of this function reads: The problem lies buried in a macOS Global Function, SecStaticCodeCheckValidity(), which is used by almost all signature-checking tools and apps (including Apple’s command line tools) to validate the signature of a file. Details of a bug revealed in Twitter today by Patrick Wardle, of Securita Security and Objective-See, demonstrate that most anti-malware tools can easily be spoofed into accepting completely fictitious certificates. Very annoying.One of the basic checks which all malware protection should make is whether apps and other code have been correctly signed. Which is really a pity, since there's really not that much decent mac security software on the market, most is garbage really. It's so unprofessional, it makes me very skeptical about this "security" software.Īnd it's not the 1st time, I found things like this also informed the developer about things now and then, but I'm afraid it's not going to be of much use (never got any feedback). ![]() If you deactivate one of those, of course the software doesn't work correctly anymore. if I find them after half a year or so? I know my mac quite well, therefore I was able to find out - but the average user can't. How am I supposed to know, which programs these background activities are belonging to, esp. ![]() What's worse, they still look strange / suspicious in the "Background processes" section of the system prefs: there's exactly these 2 entries "Mark Allan" and "open" (the last one even states: "Item from an unidentified developer"). I mean what the heck is "Mark Allan", or "open" supposed to mean, why should I allow this? It's confusing for end users and simply bad GUI design (not optimized in any way for macOS Ventura, and this is after several months of the final release). For example when it installs, it shows strange notifications. I think this is true only for badly programmed AV-software, well programmed AV software should offer these features, leave it to users to deactivate them - and perform good anyhow.īut worse: it's partly rather buggy. I'd say, there's really plenty, not to say too much room for improvement options like behavioral / network protection - of course this wouldn't be for everyone, I know all these mac users who state: it's useless and only slows down my mac.
0 Comments
Leave a Reply. |