Apple Mac users warned over 'code-signing' vulnerability

Security flaw enables malware to be run that's been fraudulently signed by Apple

Apple Mac users have been warned about a vulnerability affecting MacOS for more than a decade that could enable attackers to pass off malware as legitimate applications.

Found by a researcher on Okta's Research and Exploitation (REX) team, Josh Pitts, the Apple "code-signing" vulnerability is said to enable anyone - including a malicious actor - to trick third-party security tools into believing their code is Apple-approved, letting malicious code to be installed on a MacOS machine until it's patched.

What this does, is break the chain of trust in code signed by Apple and in MacOS security that people often take for granted

"Through this method, a sophisticated threat actor could get access to personal data, financial details, or sensitive insider information," the company said in a statement.

"And, by exploiting this vulnerability, threat actors can bypass a core security function - and even the most vigilant security professionals - that most end users don't know or think about as they go about their digital activities. What this does, is break the chain of trust in code signed by Apple and in MacOS security that people often take for granted."

Code-signing is the standardised process of using public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin, and that the deployed code has not been modified. It is intended to provide a guarantee to end users that the code they are about to install does, indeed, come from who it says it comes and that it is bona fide.

This is a core security function that most end users don't know or think about as they run their everyday applications.

"With millions of consumers and more and more businesses using Mac everyday, the potential scope here is enormous," Okta added.

The REX researcher found that virtually all non-Apple developed, or 'third party' Apple-focused security products using the official Apple APIs didn't verify the cryptographic signature properly.

Pitts was thus able to create a malformed program that, to these security products, would look to be signed by Apple itself, thereby bypassing a core security feature in these products.

"This technique could, in a post-exploitation and/or phishing attack as a second-stage payload, allow for long-term persistence in plain sight," Okta explained. "After testing, [we] concluded that this technique bypassed the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple's own root certificate."

This security flaw could even have been abused since the 2005 introduction of OSX Leopard, as it takes advantage of OSX's multi-CPU architecture support.

"While we are not aware of any prior abuse of this technique by bad actors, we assess that it is highly possible given the ever-present desires to circumstance security in all forms," Okta warned.

With the help of US CERT, all known affected vendors have been notified of the issue and Okta said it is publishing a public disclosure today to ensure the public is aware of this vulnerability.