Last week, many Mac users received malicious alerts on their screens when trying to access an HP printer. That’s what happened.
Apple holds the keys to almost all current versions of Mac software. Here is a story about these keys and how the Hewlett Packard (HP) bug has caused problems for many people.
Code signature and certificates
First of all, it’s important to understand that when I say the keys, I actually mean certificates. These certificates are similar to the certificates that form the basis for secure communication between the web server and your browser. For web traffic, these certificates are used to encrypt data, but they support more than just encryption.
Certificates also make validation possible. For example, if you try to connect to your bank’s website, the website certificate confirms that the website is your bank’s website. Of course, not many people look at these certificates, but it’s the right way to avoid a phishing site.
What does this have to do with Apple and HP, you wonder? That’s a good question. Apple has supported the signing of the MacOS code for several years. When signing the code, a certificate for the cryptographic signing of the software is used. This allows the system and the user to check which developer created the software and to ensure that it has not been modified since its creation.
In recent years, Apple has not only supported code signing… …it’s come as close as possible to an encrypted signature. If you, the developer, do not sign up for your Mac software, your users will have trouble making it work and you (or your support staff) will receive numerous requests for help. In addition, your software is likely to be easily uninstalled by many people.
This applies of course to applications that you download from the internet or the App Store, but also to more everyday software such as printer drivers. HP produces printers and therefore printer drivers, and of course these drivers are well signed.
The certificates used to sign software on MacOS (and iOS) are provided and managed by Apple. The certificates used by HP are no exception.
So, what happened?
Last Thursday evening (October 22nd) we received a flood of requests for help from people complaining about new malware we hadn’t discovered. At least that’s what they said. However, as we delved deeper into the subject, we discovered that the screenshots we saw showed a pattern.
Malware was reported in the macro with built-in anti-malware capabilities, and there were a dozen or more different processes in the macro that claimed to damage your computer with the Malware Reporting to Apple to protect other users checkbox checked. Sounds pretty scary, doesn’t it?
However, we have found that all of these malware are (for the most part*) related to HP printer drivers. The news usually appeared when people tried to print on HP printers. The software samples we received turned out to be legitimate, with no signs of malicious behavior.
Why did MacOS think it was malicious?
Originally, many fingers pointed to the latest XProtect update. (XProtect is a basic form of malware protection built into MacOS to prevent malware booting). It was supposed to be a false positive, in other words: XProtect has wrongly defined legitimate files as malicious.
However, the date of the last XProtect update did not coincide with the very sudden and widespread occurrence of the problem. During some searches we discovered that the cause of the problem was that the developer certificate used to sign these HP drivers had been revoked.
In general, a certificate will be revoked by Apple if Apple determines that malicious software is signed with that certificate. Originally it was assumed that Apple had accidentally revoked the certificate. However, it appeared that, according to HP, which was transferred to the Registry, HP itself had wrongly requested the revocation of the certificate.
For some older versions of the Mac drivers, we accidentally revoked the access data. This has caused a temporary interruption for these customers and we are working with Apple to pick up the drivers. In the meantime, we recommend that users who experience this problem remove the HP driver and use the native AirPrint driver to print to the printer.
Apple was able to restore the revoked certificate, which solved the problem for some, but not for everyone. In a few days more cases will be reported.
Consequences of false alarm
This is not the first time that certificates have been accidentally invalidated. For example, a developer named Charlie Monroe reported in August that his Apple developer account had been completely deleted and his certificate for signing the code had been revoked. All its applications suffered from the same problem as the HP printer drivers.
With all security software, false alarms are always a potential problem. Mistakes happen, and Apple is not always guilty in such cases. But when a certificate for Mac software is issued, it applies to everyone who uses the software.
The consequences of these events could hit those in favour hard. I don’t know about Charlie Monroe, but I suspect that a significant number of people who have used his programs have probably disabled him and will probably never trust his programs again.
In organizations like Malwarebytes, these events can result in hundreds or thousands of customer service tickets from customers wondering why we haven’t detected this malware or even why we are legitimately blocking something (under the false assumption that this message is posted by Malwarebytes). Some people may have never contacted our support team and simply deleted our software because they thought they had caught the infection while under our protection.
Ideal conditions for fraud
One of the most unfortunate aspects of these events is that they create an incredibly fertile breeding ground for fraud. There is an explosion of videos and fraudulent websites claiming to help remove this malware. These scams work by using ordinary things that people look for and think are malware.
For example, if you now search in Google for damage to your computer, you will get some results that will help you repair the damage to your computer (yes, in that very meaningless language). Some of these sites – and fake YouTube videos with links to them – took advantage of this chaos for a few hours on Friday.
The purpose of these sites is to make you think you are infected, so download the software they recommend to remove the virus. In reality, there is often no real malware, and the website receives a reward from the partner for every reference to the software in question. Often the recommended software itself is fraudulent.
It is very important to be skeptical about the use of Google (and other search engines). Don’t automatically believe that something is malicious just because you’ve searched Google and found websites that call it malicious.
How do I solve a problem with a Mac/HPprinter?
If you are one of those who still have a problem, here are some possible solutions that have proven themselves for our customers:
1) Reboot the computer and make sure it is online when you restart.
2) Verify that there are HP software updates in the Software update data panel in System Preferences.
3) Remove the HP printer from System Preferences -> Printers and Scanner, and try adding it again.
4) Check the new HP software for your printer on the HP support website:
https://support.hp.com
5) If anything else fails, contact HP at the support website for assistance.
* Add to Cart
Earlier we said that the problem is mainly related to HP printer drivers. Another problem has arisen with some Amazon applications, Amazon Music and Amazon Workspaces, where users have experienced the same behavior. This gave rise to a lot of speculation and pointed the finger at Apple (in which unfortunately your humble servant also participated), but it seems that this question has nothing to do with the subject and happened to be raised. It wasn’t Apple’s fault, as originally planned, and in fact it acted fast enough to help HP fix the bug.
Related Tags:
how to use airprint with hp printer,airprint driver,fax.backend malware,hp scanner 3,hpdm.framework malware,hp mac drivers,how to uninstall hp drivers on mac,native airprint driver,hp printer not working on mac catalina,hp will damage your computer mac,hp printer won't connect to mac,how to print on mac,current mac os,how to copy on macbook,mac safe mode
