Something similar has happened with Transmission's download DMGs being replaced on their servers [1] (twice! [2]) in recent memory.<p>[1] <a href="https://news.ycombinator.com/item?id=11234589" rel="nofollow">https://news.ycombinator.com/item?id=11234589</a><p>[2] <a href="https://news.ycombinator.com/item?id=12403768" rel="nofollow">https://news.ycombinator.com/item?id=12403768</a>
I'm going to take this opportunity to plug my favourite open source project - the Nix package manager[1].<p>It can work as a universal homebrew replacement (works on MacOS, Linux, WSL and can be easily ported to most BSD variants), comes with a huge collection of packages[2] and produces <i>its own reproducible source builds</i>. Like homebrew, it's a hybrid source and binary based package manager (if you haven't done anything to modify the build, it will likely be downloaded from a cache of pre-built binaries[3]). Unlike something like homebrew-cask, it will never download the pre-built .dmg file from the developer's website - with the obvious exception of proprietary software.<p>It can also work as a great AUR/ports replacement on Linux systems. Fedora doesn't provide FFmpeg or an up-to-date version of a package you need? No problem, just get it from Nix! All the advantages of a rolling release distro, without actually having to use one.<p>Due to its functional nature, it comes with a wealth of advantages over homebrew and other traditional package managers[4]. Once you get past the learning curve, creating your own packages or modifying existing ones is a breeze. It can create disposable development environments with dependencies of whatever project you're working on, without having to install them in your system or user profile! Check out the Nix manual[5] for more information.<p>It's so flexible that people have built a Linux distribution where your entire system configuration is a Nix derivation (package) - with atomic upgrades, rollbacks, reproducible configuration and much more! [6]<p>[1] <a href="https://nixos.org/nix/" rel="nofollow">https://nixos.org/nix/</a><p>[2] <a href="https://nixos.org/nixos/packages.html" rel="nofollow">https://nixos.org/nixos/packages.html</a><p>[3] <a href="https://hydra.nixos.org/" rel="nofollow">https://hydra.nixos.org/</a><p>[4] <a href="https://nixos.org/nix/about.html" rel="nofollow">https://nixos.org/nix/about.html</a><p>[5] <a href="https://nixos.org/nix/manual/" rel="nofollow">https://nixos.org/nix/manual/</a><p>[6] <a href="https://nixos.org/nixos/about.html" rel="nofollow">https://nixos.org/nixos/about.html</a>
Did the author not sign the binary?[1] Why not?<p>Is it really just because of the $99/yr developer program fee? And if so.. is it starting to sound like a better value now?<p>[1] <a href="https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html" rel="nofollow">https://developer.apple.com/library/content/documentation/Se...</a>
God dammit. I downloaded this a few days ago and sure enough, I'm infected. What are reasonable mitigation steps to prevent this in the future? I noticed handbrake said it must "install additional codecs" which is mighty odd, but I didn't think much of it at the time.<p>Is there a security product on OSX that would have prevented this?
"
Further Actions Required<p>Based on the information we have, you must also change all the passwords that may reside in your OSX KeyChain or any browser password stores."<p>That sounds like a very large exercise...
Looks like the XProton malware is a RAT.<p>Full description here:<p><a href="https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf" rel="nofollow">https://www.cybersixgill.com/wp-content/uploads/2017/02/0207...</a>
I don't understand how I'm supposed to verify the checksum if I've already installed (and run) the HandBrake.app ... and long since deleted the .dmg installer file ????
I think the main concern here is the state of GUI apps in macOS and Windows. Popular apps in these platforms are mostly closed-source, even for personal side projects. For the few open source GUI apps, no package manager provides support for building GUI apps from source.
I wish package managers would make it easier to build GUI apps from source, or even provide their own binary packages for GUI apps. I really feel reluctant to install most GUI apps on macOS and Windows because I can't trust that the build/distribution platforms for these apps are properly secured.
A working link: <a href="https://forum.handbrake.fr/viewtopic.php?f=33&t=36364" rel="nofollow">https://forum.handbrake.fr/viewtopic.php?f=33&t=36364</a>
Usually package managers on linux distros, to use an example for comparison, tend to check checksums of downloads for security purposes during any installation. For MacOS users, I guess I understand they want to use software not blessed by Apple, then isn't homebrew or whatever supposed to do the same thing?
Yikes. Missed this by 1 day. I updated Handbrake to 1.0.7 on 1st May to compress a bunch of videos. Was a little surprised to see it wasn't signed but after scanning it with ClamXav I figured I was safe and installed it on every Mac in the house so I could crank through my project faster.<p>If I understand correctly even if I had in fact downloaded the compromised version ClamXav wouldn't have detected the malware?<p>This kind of stuff is extremely worrying and really strengthens Apple's case for signed application binaries across the board.<p>Are package managers like Homebrew and MacPorts not also susceptible to this kind of binary poisoning?
I can't believe this. I literally downloaded handbrake like 45 minutes ago! Luckily I got the proper version, but boy oh boy, it was a close call. I think I'll reinstall claXmav on all my macs.
There's a quick analysis of it here: <a href="https://objective-see.com/blog/blog_0x1D.html" rel="nofollow">https://objective-see.com/blog/blog_0x1D.html</a><p>Along with the fact that Apple updated the built-in sorta-antivirus in MacOS to detect it. But it only detects an SHA1 hash on the original DMG. If someone rebuilds the DMG or puts the malware with another app and builds a DMG, it'll bypass the MacOS sorta-antivirus.
What about creating different users on a MacOS system to do different things? Wouldn't this mitigate exploits like this?<p>Why shouldn't I create a "Tommy Transcoder" user on my system? That user would have the Handbrake app in his own Application folder. I assume that Handbrake will run correctly without needing to be installed in the system /Applications?<p>I already do this for a few items of software. Maybe it should be SOP to do this for most/all software?<p>Or what about installing most apps into virtual machines and using VMWare to run them?<p>I do recognize that such an approach couldn't be used universally. E.g. VMWare itself must run on the native machine, and with elevated privileges.<p>I'm interested in "defense in depth". No single technique can defend against all possible exploits.
Didn't this also happen somewhat recently? How can this be prevented? The window could be reduced by actively monitoring mirrors? Could BitTorrent help mitigate this because the torrent file validates data and isn't under the control of the parties?
> The Download Mirror Server is going to be completely rebuilt from scratch.<p>Am I alone in thinking that this is irresponsible? Why not move releases to github?<p>Why aren't you going to start signing macOS binaries? I find this offensive. Thanks for potentially compromising users because you couldn't be arsed to pay for a certificate.
Sigh.. This could be somewhat repaired by making a beta-release, distributing to devs and testers. Once confirmed good, rename file and release via IPFS. The key here, is if multiple devs did this, the hashsum would <i>prove</i> the file being shared.<p>Any one client that's been hacked or infected would show up as an improper hash and easily spotted.