The vast majority of third-party security products for Apple have long been susceptible to being tricked into thinking malicious code is Apple-approved, according to new research from security researchers at software company Okta.
The vulnerability, which could allow an attacker to gain access to a compromised Mac by pretending to be Apple, could have been exploited at any point since 2005’s launch of OSX Leopard, researcher Josh Pitts said.
Apple was reportedly notified of the vulnerability in February but told Okta the issue was a third-party one. Apple says it is now updating the documentation that explains to software developers how to build whitelisting tools for Macs.
Whitelisting tools from Chronicle, Carbon Black, Facebook, F-Secure, Google, Objective Development and Objective-See were among those failing to catch malicious files with tweaked credentials in Okta’s code signing tests.
Nearly all Apple-focussed third-party security provides were prone to the error, Okta said.
Code signing is the standardised process of using public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin and that the code hasn’t been modified.
“Unlike some of the prior work, this current vulnerability does not require admin access, does not require JIT’ing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid.
“This security flaw could have been abused since the 2005 introduction of OSX Leopard, as the flaw takes advantage of OSX’s multi-CPU architecture support in the form of a malformed Fat/Universal file. We are not aware of any prior abuse of this technique by bad actors”, Okta said in release.
“With the help of CERT/CC, all known affected vendors have been notified and Okta is publishing a public disclosure on June 12 to ensure the public is aware of this issue and updates the associated vulnerable software. In addition, we hope that the security research community can continue to contribute to this issue in any way possible to ensure that code signing is not exploited for malicious ends.”
Okta published full details in a blog this morning.