Installing Kaspersky Internet Security reveals some gaps in software security practices.

On Tuesday, I got a text message from my father that nearly made me fall off the treadmill at the gym: "Help! How do I turn off untrusted on my Mac?"

I texted back, "What do you mean?" and then stepped off to call him. He explained that he was trying to install Kaspersky Internet Security on his MacBook; his auto-renewal for software updates had been cancelled because he had gotten a new credit card, so Kaspersky had told him he needed to do a new install to re-establish his account. After downloading the installer from Digital River through an online purchase, he launched it and got an error: "Certificate used to sign package is not trusted. Use –allowUntrusted to override."

Given that there has been a number of cases of MacOS malware protection tools being shown to create security vulnerabilities—including, most recently, the revelation that ESET Endpoint Antivirus 6 for macOS could be used to remotely execute code by an attacker—I was concerned that something was going horribly wrong. I was afraid my father had somehow gotten a maliciously altered copy of the installer or that some other hijinks were involved, so I told him to contact Kaspersky's technical support. Then I got back on the treadmill. As I finished up my morning run, he texted again:

"I went to their chat center and they resolved the problem. I had to set the date on the computer back two weeks. Then it installed properly."

To summarize: the installer failed, but it gave a command-line flag in its error that showed how to bypass the validation of its software packages' security. The certificate on the packages being sold digitally (a September 15, 2016 build) had expired two weeks previously. And the fix for that problem was to set the system clock back two weeks to perform the install.

I asked my father to send me the installer so I could take a look at it. It arrived in a nearly 200-megabyte MacOS disk image file, along with an uninstaller application. With his permission, I ran the installer to diagnose what was going on—and poked around the installer to see what was under the hood. I did not complete the install myself in the process.

As it turns out, the installer is essentially an encapsulated WebKit application powered partially by JavaScript, plus a 186-megabyte software package file for Apple's own Installer utility. The certificate holding up the install is the one issued by Apple's developer program to Kaspersky Lab UK LTD.

And sure enough, the certificate on the package expired on February 22.

But this isn't something that would normally stop an Apple install—in fact, when executed on its own with Apple's Installer.app, it would proceed normally because Apple allows expired developer certificates on software installations for backward compatibility. MacOS will not, however, allow a package with a revoked certificate to install.

That means that the certificate check was being done not by MacOS but by Kaspersky's own installation wrapper before launching the MacOS installation utility—apparently as part of a validation of the package. But then it also gave instructions within the error message on how to bypass that very check (though they are not instructions an average Mac user would know how to follow).

To see if there were any clues as to how the certificate was being checked by the installer, I ran it while performing a packet capture. And I discovered that there is an effort at install time to validate the contents of the package when the installer is launched over the Internet—but not the sort of check I expected. The installer connects to a Kaspersky website via HTTP and fetches a text file containing the names, sizes, and what appears to be hash values for the files in the installer's "Packages" payload. Aside from kismac.pkg (the main software payload), the other files are all Rich Text Format files with Kaspersky's end-user license agreement in various languages. At the end of the list is a concatenated string that appears to contain keys.

Again, all of this is in plain text. That's the extent of the installer's communication with Kaspersky over the Internet.

None of this suggests directly that Kaspersky's installer is vulnerable to tampering or exploitation. But it's not exactly a model of best security practices, either. I reached out to Kaspersky on Tuesday to ask about the rationale behind the installer and why, instead of offering a patched version, the company’s support team was telling users to turn their system clocks back. A company spokesperson replied that they were looking into it. We'll update this story with their response.