Signature Validation Bug Let Malware Bypass Several Mac Security Products


A years-old vulnerability has been discovered in the way several security products for Mac implement Apple’s code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers.

Josh Pitts, a researcher from security firm Okta, discovered that several third-party security products for Mac—including Little Snitch, F-Secure xFence, VirusTotal, Google Santa, and Facebook OSQuery—could be tricked into believing that an unsigned malicious code is signed by Apple.

Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered.

However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by Apple.

It should be noted that this issue is not a vulnerability in MacOS itself but a flaw in how third-party security tools implemented Apple’s code-signing APIs when dealing with Mac’s executable files called Universal/Fat files.

The exploitation of the vulnerability requires an attacker to use Universal or Fat binary format, which contains several Mach-O files (executable, dyld, or bundle) written for different CPU architectures (i386, x86_64, or PPC).

“This vulnerability exists in the difference between how the Mach-O loader loads signed code vs. how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary,” Pitts explained.

Pitts also created several malformed PoC Fat/Universal files for developers to use in order to test their products against this vulnerability.

Successful attacks exploiting this technique could allow attackers to gain access to personal data, financial details and even sensitive insider information, in some cases, claimed researchers.

Here’s the list of affected vendors, alongside associated security products and CVEs:

  • VirusTotal (CVE-2018-10408)
  • Google—Santa, molcodesignchecker (CVE-2018-10405)
  • Facebook—OSQuery (CVE-2018-6336)
  • Objective Development—LittleSnitch (CVE-2018-10470)
  • F-Secure—xFence and LittleFlocker (CVE-2018-10403)
  • Objective-See—WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer and others (CVE-2018-10404)
  • Yelp—OSXCollector (CVE-2018-10406)
  • Carbon Black—Cb Response (CVE-2018-10407)

The researcher first notified Apple of the vulnerability in March, but Apple stated that the company did not see it as a security issue that they should directly address.

“Apple stated that documentation could be updated and new features could be pushed out, but ‘third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result’,” Pitts said.

So, after hearing from Apple, Okta contacted CERT/CC and then notified all known affected third-party developers, who are working on security patches that will likely be released soon.

Google acknowledged and already released security update for its Santa in late April. So, users are recommended to upgrade to the latest Santa v0.9.25.

Facebook has also fixed this issue in the latest version of its OSquery, which is already available for download. F-Secure has also rolled out an automatic update to xFENCE users in order to patch the vulnerability.

If you are using one of the above-listed tools, you are advised to check for updates in the coming days and upgrade your software as soon as they are released to guard against attacks exploiting the vulnerability.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.