When Your Digital Life is On the Line, Signatures Are Not Enough

Posted on March 6th, 2013 by

It seems like everyone and their dog is adding a security feature to their applications lately to require downloaded files be signed by a trusted certificate before it will be run. Gatekeeper does it and Java does it, to name but a couple high-profile, relatively recent (and Mac-relevant) examples. This isn’t a new technique by any stretch of the imagination. Almost as long as the idea of signed files has existed, there have been security settings that would allow you to reject unsigned files. And almost as long as there have been security settings rejecting unsigned files, there have been malicious files forging or using stolen certificates.

Recently there have been a few examples of this occurring, particularly related to Java, as it’s currently the most high-profile example of a product adding this requirement. A lot of people got super excited about Oracle increasing the default security level to reject unsigned files, and certainly this was not a bad move. However, it does very little to actually increase the security of the Java plugin. In the last couple days, there have been reports of stolen signatures from Bit9 and Clearesult Consulting being used in conjunction with Java-based attacks to give the appearance of trusted files.

This requirement really isn’t posing much of a problem for malware authors, but it’s making things very difficult for the average user to know what to trust. It’s getting increasingly difficult to give simple instructions to enable people to know what is or isn’t valid, as the lines between clearly legitimate and clearly malicious behavior get more and more blurry. Malware authors exploit this by trying to look more and more like the behavior of the “good guys” – be it fake AV products (like MacDefender) or very convincing phishing emails, or by stealing legitimate certificates. (Try saying that 10 times fast!) This is part of why it’s important to use security tools such as firewalls and AV scanners that don’t rely on blanket trust levels to decide when to allow code to run.