Okta Inc. researchers discovered a bypass that allows threat actors to create malware that can pose as legitimate...
software files signed by Apple. What is this bypass and who does it affect?
Because regular users sometimes find it difficult to know what is and isn't safe on the internet or when installing software, software developers are increasingly signing their software -- something many operating systems require before letting new software run or be installed on a device.
However, using signed software doesn't always prevent malware from bypassing software signature verification, as regular users often have don't know how to authenticate signed software. In addition, advanced IT professionals and software developers don't always know how to validate signed software for each operating system or the different versions of signing software.
Josh Pitts, a staff engineer on the research and exploitation team at Okta, blogged about malware bypassing third-party code signing verifications. In this case, the vulnerability is not in Apple's systems, but rather in the way third parties use the APIs for authenticated signed software.
The researchers at Okta discovered that several software vendors had misunderstood how to use code-signing APIs to check signatures on signed files. The issue was that macOS binaries can have more than one version of the binary bundled in a file -- one for different CPU architectures -- and only the first version of the binary has its signature checked by a known certificate authority (CA).
As a result, an attacker can bypass certain types of checks that require a binary signed by a known CA by bundling a legitimately signed binary in with a malware file that is signed with a self-signed certificate. In that case, the authentically signed binary would be mixed in with the malware. Apple has since updated their developer documentation to explain this exploit to developers.
The vulnerability requires specific conditions to work, and there have been no indications that the vulnerability has been actively exploited. Okta worked with the CERT Coordination Center to notify the vendors they identified as vulnerable, and those vendors have also updated their software to address this vulnerability.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
The new Mylobot botnet demonstrated new, complex tools and techniques that are modifying botnet attacks. Learn how this botnet differs from a typical... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.