Malicious Code Can Look Like It Has Been Signed by Apple

Security researchers just discovered a code-signing bypass vulnerability that allows malicious code to masquerade as an official Apply system file. In other words, some of the implementations of Apple’s official code-signing API can be exploited by hackers.

Apple has made an API available to developers who wish to build a security function that verified Apple files as legitimate. The issue stems from the way some developers have implemented the API, thus introducing a vulnerability into the security product.

The flaw allows for unsigned malicious code to look like it has been signed by Apple. As a result of this “misunderstanding”, malware can trick vulnerable security products and services into believing it is just another legitimate Apple file.

Who is affected by this vulnerability? A host of security products, several open-source projects and security functions used by Google, Facebook and Yelp.

More about the Vulnerability

As explained by researcher Josh Pitt at Okta, the flaw exists in the difference between how the Mach-O loader loads signed code versus how improperly used Code Signing APIs check signed code and is exploited via a malformed Universal/Fat Binary (a binary format that contains several Mach-O files with each targeting a specific native CPU architecture).

It should be noted that there are several conditions for the vulnerability to work:

– The first Mach-O in the Fat/Universal file must be signed by Apple, can be i386, x86_64, or even PPC.
– The malicious binary, or non-Apple supplied code, must be adhoc signed and i386 compiled for an x86_64 bit target macOS.
– The CPU_TYPE in the Fat header of the Apple binary must be set to an invalid type or a CPU Type that is not native to the host chipset.

The initial proof-of-concept demonstrated how (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: