Hello everyone.
I would like to know a bit more about vulnerability CVE-2022-46689. I was searching in the Internet and have found that it was an exploit in OS and it was already fixed with latest updates (I can't post the link here 😞).
During the development we are checking our package (.PKG) via VirusTotal website. And when we updated macOS to 13.2 and XCode to 14.2 and created the PKG VirusTotal showing us that PKG is infected and detect it as a virus (Google and Ikarus vendors showing it and Ikarus detecting CVE-2022-46689). We made small test - upload PKG to Google Drive and try to download it - Google write a warning that file infected with a virus. Before we have used macOS 10.15 and XCode 12.1. I created the same PKG using old environment with same codebase and it passed all checks without any problems 🙂.
For me it is very interesting thing and I uploaded one by one files from our bundle to VirusTotal and found that it marked SystemExtension and Proxy files as a virus. We also have got 2 executable files inside bundle, it also were marked as a viruses.
Possibly it can be a problem with VirusTotal and these 2 vendors but my question will be the next:
As a developer on which places in code I need to pay my attention which can be related to CVE-2022-46689? Maybe it will help us to understand the reason of this issue and improve security of our application at all.
Thanks in advance
I’m happy to comment on security fixes if they relate to your code. For example, if you’re writing code that’s stopped working because of a security fix, I’m happy to talk about that [1].
Re-reading your question today, that doesn’t seem to be the case here. While you are building a product for an Apple platform, that product is not having a problem on our platforms. Rather, it’s various third-party services that are complaining. I can’t comment on those.
Presumably your installer package will ship either via the Mac App Store or independently using Developer ID signing. Either way, you can have Apple run its checks on it. For the Mac App Store that means simply uploading it to the store. For independent distribution that means notarising it (and, if you want to go further, testing it per Testing a Notarised Product). If it passes those checks then Apple is happy.
Now it’s quite possible that these third-party services are spotting something that Apple has missed. If so, I’d appreciate you filing a bug against the Apple checker that missed it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] For an example, see this thread.