Is code-signing the solution against malware?

I was reading the comments for Schneier’s is antivirus dead? article. As usual, Bruce Schneier is sharp and gets the whole picture.

One of the comments from that article said to stop using Windows. Not using Windows is, unfortunately, the wrong solution. Other platforms like Mac OS X have serious security bugs. Linux had have also security bugs, and so does Solaris. Even OpenBSD might have security bugs that have yet to be discovered. The more people start using Mac OS X, Linux, Solaris or any other modern operating system, the more these vulnerabilities will be exploited. While other operating systems might (or might not) be more secure than Windows doesn’t mean they are not vulnerable to exploits. And the more critical mass these operating systems get the more interested hackers will be in actively exploiting even the smallest security bug. As long as an OS has a exploitable bug there is potential for compromise. And even if the OS is completely secure we still have untrained users 🙂

Another comment mentioned that code-signing is the solution to stop malware, but I have to strongly disagree. A hacker can potentially get its code signed and pushed to you. That code is then run and the system infected by a trojan or malware. It is true that getting malicious code signed is not trivial, but I’m sure a good hacker can deceive some well-known signing authorities. And by the time you get infected by signed code it will be difficult to know what exactly infected your system. It will be difficult to prove whether it was that suspicious, but digitally-signed code that you recently downloaded from a Website or something else you downloaded months ago. At that point, if the system is compromised, evidence might have been destroyed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s