HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised (handbrake.fr) 22
HandBrake team, writing on their forum: Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected. HandBrake is a popular, open-source video conversion tool. The team hasn't issued any advisory for Windows users.
Actibity_agent (Score:4, Informative)
Do not confuse Activity_agent with "Activity Monitor", which is a perfectly legitimate process and part of the core Mac OS tools.
The trojan was likely named thus in order to maximize the potential for confusion.
Or for Linux users... (Score:1)
The team hasn't issued any advisory for Windows users.
The team also hasn't issued any advisory for Linux users. Just Mac users, largely because they're FOSS, and can't afford (or don't want) the "developer" license from Apple.
http://www.handbrake.fr/downloads.php
It's most likely a legal is (licenses are cheap) (Score:2, Informative)
Apple developer licenses [apple.com] are ridiculously cheap when compared to most other companies. It's 99 USD/year for a macOS or iOS license. The 299 USD license is only if you intend to develop in-house apps that you distribute and update internally. The bigger headache for most FOSS teams is that they either have to register the license to an individual or to an organization. Registering under an individual is quick/easy but can be problematic if something happens to that person or they decide to hijack the pro
Re: (Score:3)
To check if you have the update, enter the following command into Terminal:
2091 (or later) should be automatically installed, assuming that you have "Automatically check for updates" and "Install system data files and security updates" selected in
Was It Signed? (Score:3)
Does anyone know if the fake Handbrake was signed with a macOS developer certificate? That's generally not been the case for malware. Which means that this should have been rejected by most systems.
Re: (Score:3)
This has happened to them multiple times already. I'm sure they could come up with $100/yr to avoid it happening again. I've donated close to that much over the years.
At this point, not wanting to sign their application is just a disrespect their users.
Re: (Score:2)
Perhaps. But I've extracted all my DVDs to my media server and the DVDs are now in boxes.
[John]
Re: (Score:2)
Apple will give a developer cert to anybody that pays for it and doesn't start distributing malware and get it revoked. They may not allow it in their store, but who cares about that?
Re:Was It Signed? (Score:4, Informative)
Handbrake is not signed, but they are interested in having it signed in the future.
The challenge is they are neither an organisation or an individual developer. To be recognised as a legitimate organisation you need a DUNS [wikipedia.org] and go through the required paper work. This leaves them with the individual developer approach, which would probably require a trusted person, part of the inner team that would sign on behalf of the team. There are risks of course, but not many good alternatives.
I am wondering whether in the future the FSF could act as the necessary 'organisation', but then it is trying to work out the paper work, how to avoid abuse and what the cost would be. Yet another alternative would be for Apple to suggest a workable alternative. Maybe a notion of a team certificate, but with extra background checks? I am sure there are other good ideas out there.
Re: (Score:1)
There are no serious PR hits caused by unsigned software with their current approach. By default unsigned software isn't be allowed to run. Users have to take very specific actions to run unsigned software, either on an app-by-app basis or by disabling the checks altogether.
Re: (Score:2)
They should set up an individual account owned by one of the people authorised to create the SHA signatures and give the login details to all the other people so authorised. It seems pretty straight forward to me.
Re: (Score:2)
They are looking at something like this, but it is just ensuring the right checks and balances are in place. One thing we may see is VideoLAN (organisation responsible for VLC) offering to sign on behalf of the project. There is discussion here, but nothing is official at this point.
Summary from Article (Score:5, Informative)
- HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/H... [github.com]
- The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.
- The Primary Download Mirror and website were unaffected.
- Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.
- Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases
Re: (Score:1)
What if we don't have the ".dmg" anymore and have already dragged it into /Applications? Where is the checksum for the actual ".app" package? What infection files should we be looking for?
BTW, I dragged Handbrake into a VM before using it. It is possible that I launched it before I dragged it into the VM though, but I would not have entered my admin password if it prompted me for that.