“I Can Be Apple, and so Can You” – Researcher Reveals an 11-Year-Old Code Signing Flaw in macOS / OS X
A security flaw has been plaguing Apple's Mac apps for the past 11 years making them appear to be signed by Apple. Okta REX security researcher Josh Pitts has revealed a method of exploiting the code signing mechanism in macOS that, if exploited, could allow malicious code to masquerade as trusted code and bypass checks by security tools.
The problem is caused by unclear instructions by Apple that enabled malicious code to be whitelisted in a wide range of security tools. Pitts wrote that this is a bypass in third party developers’ interpretation of code signing API, which allowed for unsigned malicious code to appear to be signed by Apple.
While code signing attacks aren't new, this new attack - or bypass - does not require admin access, among other things, making it comparatively easier to carry out. "Unlike some of the prior work, this current vulnerability does not require admin access, does not require JITíing code, or memory corruption to bypass code signing checks," Pitts explained. "All that is required is a properly formatted Fat/Universal file and code signing checks return valid."
Apple desktop operating systems since 2007 - OS X Leopard - are vulnerable to this flaw
Code signing is a core security function that works by cryptographically confirming that a new code is authentic and not malicious. These digital signatures ensure that users can trust a code and that no malicious code can masquerade as legitimate code.
However, the latest research reveals that it is trivial to bypass the mechanism of code signing used by macOS security tools for the past several years, enabling criminals to pass off malicious app as if it was legitimately signed.
"Imagine the havoc a sophisticated threat actor could wreak by tricking a user into downloading and executing malicious code that current security products deem as safe," security researchers wrote. "They can get access to personal data, financial details, or sensitive insider information."
As the Okta REX research explains this bypass effectively enables a "bad actor to impersonate Apple and allow malicious code to live undetected in a macOS machine indefinitely (or at least until it’s re-imaged or the offending file is removed)."
Today 91% of enterprises use Macs and depend on vendors like Carbon Black, Facebook, and Google to provide them with security tools to protect their environments. That trend is growing every year. People and businesses use Macs for many reasons; ease of use and security are chief among them.
What makes this thing worse is that by appearing to be legitimately signed, criminals can trick even the most tech-savvy people since everyone tends to trust these digital signatures.
The problem isn't, however, with Apple's code. It's with the company's documentation. Security researcher Patrick Wardle said this is "basically just unclear/confusing documentation that led to people using their API incorrectly.” Apple has now updated its documentation and has recommended third party developers to "use kSecCSCheckAllArchitectures and kSecCSStrictValidate with SecStaticCodeCheckValidity API."
- Technical details available here.