Who uses flash anymore? 
You just don’t install anything pushed out by a Unknown web site interaction as common sense.
You just don’t install anything pushed out by a Unknown web site interaction as common sense.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's Notarization Process Repeatedly Approved Malware for Mac
- Thread starter MacRumors
- Start date
- Sort by reaction score
Just goes to show that Apple’s walled garden approach still fails, the best option is to allow users the choice to decide what to download regardless of Apple’s built in preferences and encourage antivirus software
Walled Garden? This example is just a odd example of something getting by Apple notarization that is something no longer needed, as well as a good reminder not to install something you never requested by untrustworthy web site. MacOS is not a walled environment like iOS, or IPadOS.
Yet another reason to run anti-Malware/anti-Virus software on macOS. I certainly do.
I used to run Sophos but after observing it sucking up far too many system resources I've recently installed ClamXAV which uses far less and is just as efficient at catching macOS naughtiness!
No it's not. Notarization is not malware detection. It ensures that the binary actually came from who it claims to have come from. That's it. Just like a notary public proves that a document was signed by the person who claims to have signed it, and doesn't prove that the contents of the document are true.
This is a weird news article.
This is why I run Bitdefender on all my computers even netgear armor on my router. You never know and you are better safe than sorry in my book.
That may be true for now, but it's like the proverbial Camel getting it's nose in under the tent.
Last edited:
This is clearly a failure in the notarization process— if the code is known to be bad, it should be blocked from the start. Notarization still proved valuable in the ability to revoke the app once the problem was found.
What I don’t understand is why you’d try to disguise your malware as just another form of malware... Maybe this slipped through the review because it was hard to distinguish what was malicious from what was Adobe?
Or is your point that Apple is notarizing that the developer signature is valid, not that the developer is who they claim to be— that this was a valid developer account, but there’s no check that this is the developer for Flash?
What I don’t understand is why you’d try to disguise your malware as just another form of malware... Maybe this slipped through the review because it was hard to distinguish what was malicious from what was Adobe?
But it didn’t do that, did it? I don’t think Adobe submitted this...
Or is your point that Apple is notarizing that the developer signature is valid, not that the developer is who they claim to be— that this was a valid developer account, but there’s no check that this is the developer for Flash?
Wrong. While it does do what you say, it also has an automated malware detection scan.
That’s code signing, not notarization. Notarization does indeed include checks for malicious software: "The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.” (Source)
yes it does. But the argument was that it is "useless." It was never intended to be the first line of defense against malware.
What are you going on about? Allowing 3rd party apps without the app store would make this problem way worse. At least with the notary system apple can disable said software for distribution. I'm not trying to apologize for apple though, they done messed up but no one is perfect.
Your argument was explicitly that notarization is not malware detection. You were incorrect; it is. That doesn’t mean it’s perfect, but it does detect malware.
Well, I would argue that it IS the first line of defence.
I do agree that it isn't (and can't be) 100% perfect, but yeah its definitely not "worthless" either.
Update: it has been quite confusing to understand what really happened
Reading extra articles made it clearer
www.wired.com
Reading extra articles made it clearer
Apple Accidentally Approved Malware to Run on MacOS
The ubiquitous Shlayer adware has picked up a new trick, slipping past Cupertino's “notarization” defenses for the first time.
Last edited:
Now wait a minute. You mean that Flash is still around? And on top of that, it is still used in Macs?
Last edited:
The purpose of notarisation is not to provide 100% safety after the first "review", but it is the ability to withdraw the notarisation so the application will not run which is important.
Yeah, I don't see the problem here per se. Notarization isn't intended to be perfect, it's just an extra check. We can have arguments about whether the value is worth forcing on developers (ie, Apple could change the warning message for non-notarized software to make it a bit easier for users), but it seems like a nice feature to have as an option.
---
Or maybe let users decide what risks they're comfortable taking? Allowing apps from outside the App Store for some people ≠ removing the App Store.
Adobe says Flash will continue to be supported through the end of 2020.
---
Or maybe let users decide what risks they're comfortable taking? Allowing apps from outside the App Store for some people ≠ removing the App Store.
Now wait a minute. You mean that Flash is still around? And on top of that, it is still used on Macs?
Adobe says Flash will continue to be supported through the end of 2020.
Aha, no wonder I have seen so many download "flash" attempts at pirate bay site.
Has to be the malware.
Has to be the malware.