Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jun 12, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.

    [​IMG]

    The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

    Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

    Ars Technica broke down how the method was used and which third-party tools are affected:
    Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

    For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

    Article Link: Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years
     
  2. OldSchoolMacGuy Suspended

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #2
    These companies are prioritizing speed for security. We can assume they'll now implement proper checks, but it will come at the cost of speed.

    I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
     
  3. slimtastic Suspended

    slimtastic

    Joined:
    May 17, 2018
    Location:
    Your Mother's Bedroom
    #3
    This is very bad. Thank goodness for white-hats who find this stuff out.
     
  4. ThunderSkunk macrumors 68030

    ThunderSkunk

    Joined:
    Dec 31, 2007
    Location:
    Colorado & Ontario
    #4
    Wow, but somehow, I'm less concerned about the security threat than I am excited to have discovered the job title "Senior Penetration Testing Engineer". ...someone's up for a performance review & promotion!
     
  5. konqerror macrumors 6502

    Joined:
    Dec 31, 2013
    #5
    It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
     
  6. IJ Reilly macrumors P6

    IJ Reilly

    Joined:
    Jul 16, 2002
    Location:
    Palookaville
    #6
    Well now, that's nearly as clear as Mississippi mud.
     
  7. BigHonkingDeal, Jun 12, 2018
    Last edited: Jun 12, 2018

    BigHonkingDeal macrumors 6502a

    BigHonkingDeal

    Joined:
    Feb 8, 2009
    Location:
    Fort Pierce
    #7
    I think we will have to do a Dark Web Triple Scan....

     
  8. skin88, Jun 12, 2018
    Last edited: Jun 12, 2018

    skin88 macrumors newbie

    Joined:
    Jan 5, 2018
    #8
    Does Apple give a damn?? Obviously not. It's focused now on important kindergarten stuff like animojis and AR gimmicks.
     
  9. trusso macrumors regular

    Joined:
    Oct 4, 2003
    #9
    Hehe... :rolleyes:

    Hehehe... :p



    They said "testing"! :D
     
  10. ArtOfWarfare macrumors G3

    ArtOfWarfare

    Joined:
    Nov 26, 2007
    #10
    So... I'm confused. Doesn't macOS itself check whether an app is properly signed or not before it's allowed to run? Is that feature working properly (and does it actually exist?) If so, then this really doesn't matter.

    If not... then perhaps there's actually a need for virus checkers in macOS that I wasn't aware of?
     
  11. OldSchoolMacGuy Suspended

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #11
    No, it's really not. It's the developers responsibility to use the proper security procedures in their app. Is it the states fault that people fail to follow speed limit signs?
     
  12. whooleytoo macrumors 604

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #12
    Yeah, since the built-in signature checking is valid, this is much less of an issue.

    Reading the original article on Okta, it does really hammer home how overly complex these systems are. And complexity is IMO the biggest enemy of security. It seems to me it's very much "easy to fail" rather than "easy to succeed".
     
  13. unixkid macrumors regular

    Joined:
    Jan 25, 2004
    #13
    That is the inherent problem with X509 and Gatekeeper. It defaults to trusting anything in it's trust store. With Gatekeeper you just pay for a developer account and get your signing key, or steal someone elses and your code will run on any Mac by default. Determining code authenticity is a solved problem with TOFU tools like PGP/GPG. There is some really critical software out there that does not have GPG signatures, https://mostvulnerable.com.
     
  14. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #14
    I'm not sure I'd blame the devs here. The problem is the documentation. Once again reminding us that tech writers are an underappreciated bunch.
     
  15. OldSchoolMacGuy Suspended

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #15
    The current Apple documentation insists on the need to vet all certificates. But that slows things down, which is why some developers have chosen not to do so.

    Is it the states fault if people don't follow speed limit signs?
     
  16. justperry macrumors G3

    justperry

    Joined:
    Aug 10, 2007
    Location:
    In the core of a black hole.
    #16
    Can someone explain the issue at hand please, I don't really understand the problem here.
    I have Little snitch, is Little snitch easily hacked or what?
    Bit confusing article.:confused:
     
  17. mpainesyd macrumors 6502

    mpainesyd

    Joined:
    Nov 29, 2008
    Location:
    Sydney, Australia
    #17
    Not easily hacked - see this discussion
    https://forums.obdev.at/viewtopic.php?f=1&t=11372

    It seems that LS 4.1 addressed the problem but we will need to wait for the developers to respond to this speculation
     
  18. Tech198 macrumors G5

    Joined:
    Mar 21, 2011
    Location:
    Australia, Perth
    #18
    "stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."
     
  19. rlhamil macrumors regular

    rlhamil

    Joined:
    Feb 6, 2010
    #19
    AFAIK, Apple's only error was lack of clarity in the documentation, which I gather they fixed. But when that happens and there's a known problem as a result affecting multiple apps, I hope they make a reasonable effort to actively inform registered developers.
     
  20. eyeless macrumors newbie

    Joined:
    Aug 9, 2012
    #20
    --- Post Merged, Jun 13, 2018 ---
    Yes, noticed just yesterday that the main problem to removing malware from a Mac was the Mac security ... preventing the removal as long as SIP is activated.
     

Share This Page