If I could turn back time —

Dear Kaspersky Lab: Yours is a very bad installer [Updated]

Installing Kaspersky Internet Security reveals some gaps in software security practices.

Not what you expect when you're installing software you just bought from a software publisher online.
Enlarge / Not what you expect when you're installing software you just bought from a software publisher online.

On Tuesday, I got a text message from my father that nearly made me fall off the treadmill at the gym: "Help! How do I turn off untrusted on my Mac?"

I texted back, "What do you mean?" and then stepped off to call him. He explained that he was trying to install Kaspersky Internet Security on his MacBook; his auto-renewal for software updates had been cancelled because he had gotten a new credit card, so Kaspersky had told him he needed to do a new install to re-establish his account. After downloading the installer from Digital River through an online purchase, he launched it and got an error: "Certificate used to sign package is not trusted. Use –allowUntrusted to override."

Given that there has been a number of cases of MacOS malware protection tools being shown to create security vulnerabilities—including, most recently, the revelation that ESET Endpoint Antivirus 6 for macOS could be used to remotely execute code by an attacker—I was concerned that something was going horribly wrong. I was afraid my father had somehow gotten a maliciously altered copy of the installer or that some other hijinks were involved, so I told him to contact Kaspersky's technical support. Then I got back on the treadmill. As I finished up my morning run, he texted again:

"I went to their chat center and they resolved the problem. I had to set the date on the computer back two weeks. Then it installed properly."

To summarize: the installer failed, but it gave a command-line flag in its error that showed how to bypass the validation of its software packages' security. The certificate on the packages being sold digitally (a September 15, 2016 build) had expired two weeks previously. And the fix for that problem was to set the system clock back two weeks to perform the install.

I asked my father to send me the installer so I could take a look at it. It arrived in a nearly 200-megabyte MacOS disk image file, along with an uninstaller application. With his permission, I ran the installer to diagnose what was going on—and poked around the installer to see what was under the hood. I did not complete the install myself in the process.

As it turns out, the installer is essentially an encapsulated WebKit application powered partially by JavaScript, plus a 186-megabyte software package file for Apple's own Installer utility. The certificate holding up the install is the one issued by Apple's developer program to Kaspersky Lab UK LTD.

And sure enough, the certificate on the package expired on February 22.

The expired certificate in question.
Enlarge / The expired certificate in question.

But this isn't something that would normally stop an Apple install—in fact, when executed on its own with Apple's Installer.app, it would proceed normally because Apple allows expired developer certificates on software installations for backward compatibility. MacOS will not, however, allow a package with a revoked certificate to install.

That means that the certificate check was being done not by MacOS but by Kaspersky's own installation wrapper before launching the MacOS installation utility—apparently as part of a validation of the package. But then it also gave instructions within the error message on how to bypass that very check (though they are not instructions an average Mac user would know how to follow).

To see if there were any clues as to how the certificate was being checked by the installer, I ran it while performing a packet capture. And I discovered that there is an effort at install time to validate the contents of the package when the installer is launched over the Internet—but not the sort of check I expected. The installer connects to a Kaspersky website via HTTP and fetches a text file containing the names, sizes, and what appears to be hash values for the files in the installer's "Packages" payload. Aside from kismac.pkg (the main software payload), the other files are all Rich Text Format files with Kaspersky's end-user license agreement in various languages. At the end of the list is a concatenated string that appears to contain keys.

Again, all of this is in plain text. That's the extent of the installer's communication with Kaspersky over the Internet.

None of this suggests directly that Kaspersky's installer is vulnerable to tampering or exploitation. But it's not exactly a model of best security practices, either. I reached out to Kaspersky on Tuesday to ask about the rationale behind the installer and why, instead of offering a patched version, the company’s support team was telling users to turn their system clocks back.

Update [February 28, 1:00 pm]: A company spokesperson provided the following response:

This was a technical issue that only occurred for 24 hours, which was reviewed and fixed within Kaspersky Internet Security. Also, the system clock was a temporary solution to help address the customer’s needs in a timely manner while the issue was being  resolved.

Update [March 1, 12:00 pm]: Kaspersky clarified their response, as follows:

Kaspersky Lab would like to apologize for the inconvenience caused by an outdated certificate in Kaspersky Internet Security for Mac installer. On February 22, some Kaspersky Lab users encountered problems with the installation process: the certificate in Kaspersky Internet Security for Mac, with which the operating system validates the installation of the software, expired on February 22. This issue was reviewed and fixed on February 23. During this 24-hour period, in order not leave our users unprotected, Kaspersky Lab technical support helped users to turn their system clocks back as a temporary solution. We would like to assure all our customers that actions have been taken to prevent such incidents from occurring in the future.

To avoid any confusion, we would also like to comment on some points in the article “Dear Kaspersky Lab: Yours is a very bad installer”.

The certificate had expired for only 24 hours, not two weeks, and the certificate check is being done by macOS installation utility, not by the product's installation wrapper. The message "Use –allowUntrusted to override” is the standard notification of the macOS installation command-line utility, shown when a user tries to install software with an outdated certificate, and regardless of this notification users don’t have the possibility of installing the product.

We would also like to provide more information the installation process. The product's installation wrapper connects to the Kaspersky Lab website, only to check if a newer version of the product is available. If a new version is in place, the installation wrapper downloads a new package and verifies by its hash that this is the correct file. There is nothing unusual about the text string mentioned in the article – it doesn’t contain keys and is in fact a cryptographic signature of the file that the installer checks to verify the integrity of an installation package being downloaded. Then, it initiates installation, and the operating system checks its signature as well. This installation wrapper is signed by an Apple-issued certificate, and a macOS feature called Gatekeeper regulates its launch and the certificate check.

 Despite Kaspersky's contention that the problem lasted only 24 hours, the software in question was purchased and downloaded on February 26, and Kaspersky's technocal support told the user (my father) to turn the clock back on February 27.

Channel Ars Technica