McAfee has told customers of its antivirus applications for Mac to “just allow untrusted certificates” after a company administrator accidentally revoked the digital key used to certify its software. For more than a week, users have been unable to install McAfee products on a Mac, and the company’s only workaround so far is to allow untrusted certificates, which could pose risks to its customers’ machines.
Ars Technica reports that Apple’s certificate revocation list states the reason for McAfee’s cancellation as a “key compromise,” but McAfee officials insist that they never lost control of the sensitive certificate that’s used to prove applications are from legitimate sources, and that they won’t harm users’ machines.
The revocation date is listed as February 6, which means Mac users have been unable to install McAfee products for over a week. There is a workaround, but it means compromising the security of a Mac.
“We were told that as a workaround, we should just allow untrusted certificates until they figure it out,” an IT administrator at a large organization told Ars. “They’re telling us to trust untrusted certs, and that definitely puts us at risk.”
According to McAfee’s executive vice president of product development, Barney Bryan, the company’s key was inadvertently revoked by an administrator who was handling a development hardware upgrade. Rather than revoking his individual use key, the admin accidentally revoked the code-signing keys that Apple uses to certify trusted applications and keep its ecosystem free from malware.
As you’d expect, McAfee engineers are in the process of fixing the cock-up, but in the meantime, the only advice it has to offer is bad advice.
“It’s not something we would want to tell people,” Bryan said when questioned about reports that McAfee support personnel were telling customers to accept untrusted certificates. “That is a workaround that would work, but it’s not a workaround we’d be comfortable with.”
Amazingly, despite becoming a problem more than a week ago, McAfee only discovered its certificate had been revoked two days ago — which is why it still doesn’t have it fixed. But there’s more to it than just getting a new key, Ars reports. McAfee engineers must first rebuild and re-sign the applications, and then perform quality assurance tests to ensure they work properly.
Who knows how long that will take; not even Bryan could provide an estimate.
For now, then, McAfee customers have no way of knowing that the applications they’re installing are genuine McAfee applications. That’s a big problem for users. They must know decide whether to go without McAfee antivirus products until the problem is solved, or accept untrusted certificates and hope that the applications they install are safe.
- Via Ars Technica