HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised (handbrake.fr)

← Back to Stories (view on slashdot.org)

HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised (handbrake.fr)

Posted by msmash on Saturday May 6, 2017 @07:10PM from the security-woes dept.

HandBrake team, writing on their forum: Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected. HandBrake is a popular, open-source video conversion tool. The team hasn't issued any advisory for Windows users.

22 comments

Min score:

Reason:

Sort:

Actibity_agent by Anonymous Coward · 2017-05-06 19:26 · Score: 4, Informative

Do not confuse Activity_agent with "Activity Monitor", which is a perfectly legitimate process and part of the core Mac OS tools.
The trojan was likely named thus in order to maximize the potential for confusion.
1. Re:Actibity_agent by Demolition · 2017-05-07 07:16 · Score: 2
  
  Shortly after the HandBrake team reported this to Apple, an updated XProtect version (2091) was rolled out which adds detection signatures for "OSX.Proton.B".
  
  To check if you have the update, enter the following command into Terminal:
  
  defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version
  
  2091 (or later) should be automatically installed, assuming that you have "Automatically check for updates" and "Install system data files and security updates" selected in the App Store pane (in System Preferences).
  
  If you don't have the latest XProtect definitions, then you can force it to update by entering this in Terminal:
  
  sudo softwareupdate --background-critical
no it's fine, really by Anonymous Coward · 2017-05-06 19:27 · Score: 0

Just believe me, mr first post. Take the download, its fine. Really.
Cue by Anonymous Coward · 2017-05-06 20:07 · Score: 0, Troll

"But I bought a Mac because I was told they don't get "viruses"!
Was It Signed? by rsmith-mac · 2017-05-06 22:06 · Score: 2

Does anyone know if the fake Handbrake was signed with a macOS developer certificate? That's generally not been the case for malware. Which means that this should have been rejected by most systems.
1. Re:Was It Signed? by Anonymous Coward · 2017-05-06 23:20 · Score: 0
  
  Does anyone know if the fake Handbrake was signed with a macOS developer certificate? That's generally not been the case for malware. Which means that this should have been rejected by most systems.
  No. The handbrake developers neither want not are able to afford a macOS developer certificate. https://support.apple.com/kb/PH18657?locale=en_US
2. Re:Was It Signed? by Bigbutt · 2017-05-07 02:33 · Score: 1
  
  Perhaps. But I've extracted all my DVDs to my media server and the DVDs are now in boxes.
  [John]
  
  --
  Shit better not happen!
3. Re:Was It Signed? by Midnight+Thunder · 2017-05-07 02:42 · Score: 3, Informative
  
  Handbrake is not signed, but they are interested in having it signed in the future.
  The challenge is they are neither an organisation or an individual developer. To be recognised as a legitimate organisation you need a DUNS and go through the required paper work. This leaves them with the individual developer approach, which would probably require a trusted person, part of the inner team that would sign on behalf of the team. There are risks of course, but not many good alternatives.
  I am wondering whether in the future the FSF could act as the necessary 'organisation', but then it is trying to work out the paper work, how to avoid abuse and what the cost would be. Yet another alternative would be for Apple to suggest a workable alternative. Maybe a notion of a team certificate, but with extra background checks? I am sure there are other good ideas out there.
  
  --
  Jumpstart the tartan drive.
4. Re:Was It Signed? by Anonymous Coward · 2017-05-07 03:19 · Score: 0
  
  What you should be wondering is if, in the very near future, it will even be possible for Handbrake to launch without being digitally signed by an Apple-registered/verified developer who will accept liability for any viruses.Such PR hits on the Apple brand (even over obscure media programs used by a small portion of its users on older DVD-equipped systems) cost investors/retirees/employees billions. There's no reason for Apple to allow that, especially after observing what happened to the guys up in Redmond that did.
5. Re:Was It Signed? by chihowa · 2017-05-07 04:02 · Score: 2
  
  This has happened to them multiple times already. I'm sure they could come up with $100/yr to avoid it happening again. I've donated close to that much over the years.
  At this point, not wanting to sign their application is just a disrespect their users.
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
6. Re:Was It Signed? by chihowa · 2017-05-07 04:08 · Score: 1
  
  Apple will give a developer cert to anybody that pays for it and doesn't start distributing malware and get it revoked. They may not allow it in their store, but who cares about that?
  
  --
  If you want a vision of the future, imagine a youtube comments section scrolling - forever.
7. Re:Was It Signed? by Anonymous Coward · 2017-05-07 04:14 · Score: 1
  
  There are no serious PR hits caused by unsigned software with their current approach. By default unsigned software isn't be allowed to run. Users have to take very specific actions to run unsigned software, either on an app-by-app basis or by disabling the checks altogether.
8. Re:Was It Signed? by jeremyp · 2017-05-07 06:16 · Score: 1
  
  They should set up an individual account owned by one of the people authorised to create the SHA signatures and give the login details to all the other people so authorised. It seems pretty straight forward to me.
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
9. Re:Was It Signed? by Midnight+Thunder · 2017-05-08 08:08 · Score: 1
  
  They are looking at something like this, but it is just ensuring the right checks and balances are in place. One thing we may see is VideoLAN (organisation responsible for VLC) offering to sign on behalf of the project. There is discussion here, but nothing is official at this point.
  
  --
  Jumpstart the tartan drive.
Or for Linux users... by Anonymous Coward · 2017-05-06 23:12 · Score: 1

The team hasn't issued any advisory for Windows users.
The team also hasn't issued any advisory for Linux users. Just Mac users, largely because they're FOSS, and can't afford (or don't want) the "developer" license from Apple.
http://www.handbrake.fr/downloads.php
It's most likely a legal is (licenses are cheap) by Anonymous Coward · 2017-05-06 23:32 · Score: 2, Informative

Apple developer licenses are ridiculously cheap when compared to most other companies. It's 99 USD/year for a macOS or iOS license. The 299 USD license is only if you intend to develop in-house apps that you distribute and update internally. The bigger headache for most FOSS teams is that they either have to register the license to an individual or to an organization. Registering under an individual is quick/easy but can be problematic if something happens to that person or they decide to hijack the project (both of which have happened with FOSS projects before). Registering an organization is fairly easy as well but creating and maintaining a legal entity can be a headache depending on where it's based. In most states in the US you have to have a charter, keep minutes, financial reports, etc. Given that it's already a labor of love for most people on the project, finding someone with the time and experience to deal with all of that can be difficult. So most don't.
Summary from Article by CanadianMacFan · 2017-05-07 00:12 · Score: 4, Informative

- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/H...
- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
- The Primary Download Mirror and website were unaffected.
- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.
- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases
1. Re:Summary from Article by Anonymous Coward · 2017-05-07 03:24 · Score: 1
  
  What if we don't have the ".dmg" anymore and have already dragged it into /Applications? Where is the checksum for the actual ".app" package? What infection files should we be looking for?
  BTW, I dragged Handbrake into a VM before using it. It is possible that I launched it before I dragged it into the VM though, but I would not have entered my admin password if it prompted me for that.