[ISN] A world of hurt after McAfee mistakenly revokes key for signing Mac apps

From: InfoSec News <alerts_at_private>
Date: Fri, 15 Feb 2013 03:43:38 -0600 (CST)
http://arstechnica.com/security/2013/02/a-world-of-hurt-after-mcafee-mistakenly-revokes-key-for-signing-mac-apps/

By Dan Goodin
Ars Technica
Feb 14 2013

A McAfee administrator accidentally revoked the digital key used to certify 
desktop applications that run on Apple's OS X platform, creating headaches for 
customers who want to install or upgrade Mac antivirus products.

A certificate revocation list [CRL] hosted by Apple Worldwide developer servers 
lists the reason for the cancellation as a "key compromise," but McAfee 
officials said they never lost control of the sensitive certificate which is 
used to prove applications are legitimate releases. The revocation date shows 
as February 6, meaning that for seven days now, customers have had no means to 
validate McAfee applications they want to install on Macs.

"We were told that as a workaround, we should just allow untrusted certificates 
until they figure it out," an IT administrator at a large organization, who 
asked that he not be identified, told Ars. "They're telling us to trust 
untrusted certs, and that definitely puts us at risk."

Barney Bryan, McAfee's executive vice president of product development, said 
the key was inadvertently revoked when an administrator was handling a 
development hardware upgrade. Instead of revoking his individual use key, the 
admin mistakenly revoked the code-signing keys Apple uses to help keep the Mac 
ecosystem free of malware. Company engineers are in the process of resigning 
their Mac apps with a new key, but until then, there are no good options for 
customers who want to install or upgrade their programs.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
Received on Fri Feb 15 2013 - 01:43:38 PST

This archive was generated by hypermail 2.2.0 : Fri Feb 15 2013 - 01:37:04 PST