View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Apple “Vulnerability” Could Have Been Exploited Since 2005

Third-party errors to blame, but flaw could have been exploited for over a decade

By CBR Staff Writer

The vast majority of third-party security products for Apple have long been susceptible to being tricked into thinking malicious code is Apple-approved, according to new research from security researchers at software company Okta.

The vulnerability, which could allow an attacker to gain access to a compromised Mac by pretending to be Apple, could have been exploited at any point since 2005’s launch of OSX Leopard, researcher Josh Pitts said.

Apple was reportedly notified of the vulnerability in February but told Okta the issue was a third-party one. Apple says it is now updating the documentation that explains to software developers how to build whitelisting tools for Macs.

Everyone Fails

Whitelisting tools from Chronicle, Carbon Black, Facebook, F-Secure, Google, Objective Development and Objective-See were among those failing to catch malicious files with tweaked credentials in Okta’s code signing tests.

Nearly all Apple-focussed third-party security provides were prone to the error, Okta said.

Code signing is the standardised process of using public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin and that the code hasn’t been modified.

“Unlike some of the prior work, this current vulnerability does not require admin access, does not require JIT’ing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“This security flaw could have been abused since the 2005 introduction of OSX Leopard, as the flaw takes advantage of OSX’s multi-CPU architecture support in the form of a malformed Fat/Universal file. We are not aware of any prior abuse of this technique by bad actors”, Okta said in release.

“With the help of CERT/CC, all known affected vendors have been notified and Okta is publishing a public disclosure on June 12 to ensure the public is aware of this issue and updates the associated vulnerable software. In addition, we hope that the security research community can continue to contribute to this issue in any way possible to ensure that code signing is not exploited for malicious ends.”

Okta published full details in a blog this morning.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.