Biz & IT —

A world of hurt after McAfee mistakenly revokes key for signing Mac apps

Just allow untrusted certificates, one customer told.

A world of hurt after McAfee mistakenly revokes key for signing Mac apps

A McAfee administrator accidentally revoked the digital key used to certify desktop applications that run on Apple's OS X platform, creating headaches for customers who want to install or upgrade Mac antivirus products.

A certificate revocation list [CRL] hosted by Apple Worldwide developer servers lists the reason for the cancellation as a "key compromise," but McAfee officials said they never lost control of the sensitive certificate which is used to prove applications are legitimate releases. The revocation date shows as February 6, meaning that for seven days now, customers have had no means to validate McAfee applications they want to install on Macs.

"We were told that as a workaround, we should just allow untrusted certificates until they figure it out," an IT administrator at a large organization, who asked that he not be identified, told Ars. "They're telling us to trust untrusted certs, and that definitely puts us at risk."

Bryan Barney, McAfee's executive vice president of product development, said the key was inadvertently revoked when an administrator was handling a development hardware upgrade. Instead of revoking his individual use key, the admin mistakenly revoked the code-signing keys Apple uses to help keep the Mac ecosystem free of malware. Company engineers are in the process of resigning their Mac apps with a new key, but until then, there are no good options for customers who want to install or upgrade their programs.

"It's not something we would want to tell people," Barney said when asked if it was true McAfee support personnel were telling customers to permit untrusted certificates "That is a workaround that would work, but it's not a workaround we'd be comfortable with."

Asked why applications haven't been signed a week after the key was revoked, Barney said the error was discovered only two days ago. In addition to generating a new key, engineers must also rebuild and resign applications and then perform quality-assurance testing to make sure the updated programs work properly. He didn't immediately have an estimate for when the problem would be resolved.

The episode is a graphic example of the complexities of administering the digital certificates at the heart of public key infrastructures used to validate software and websites and to encrypt email and other forms of Internet communication. Last week, a private key that security firm Bit9 uses to certify software was stolen by crooks and used to put a trusted seal of approval on malware that infected at least three Bit9 customers. A widely trusted key-signing certificate belonging to Adobe Systems was similarly compromised in September.

For now, customers of McAfee software for the Mac have no way to ensure the apps they're installing are genuine, and that's a problem.

"We might know that this is a one-off case, but we try to train the people that do our installs to be extra paranoid about this stuff," said the unnamed administrator. "They shouldn't have to get into the game where they have to pick and choose what's trustable and what's not. That defeats the purpose of the mechanism."

Story updated to correct McAfee executive's name.

Channel Ars Technica