Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does signed software help mitigate malware?

Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this attack.

Okta Inc. researchers discovered a bypass that allows threat actors to create malware that can pose as legitimate...

software files signed by Apple. What is this bypass and who does it affect?

Because regular users sometimes find it difficult to know what is and isn't safe on the internet or when installing software, software developers are increasingly signing their software -- something many operating systems require before letting new software run or be installed on a device.

However, using signed software doesn't always prevent malware from bypassing software signature verification, as regular users often have don't know how to authenticate signed software. In addition, advanced IT professionals and software developers don't always know how to validate signed software for each operating system or the different versions of signing software.

Josh Pitts, a staff engineer on the research and exploitation team at Okta, blogged about malware bypassing third-party code signing verifications. In this case, the vulnerability is not in Apple's systems, but rather in the way third parties use the APIs for authenticated signed software.

The researchers at Okta discovered that several software vendors had misunderstood how to use code-signing APIs to check signatures on signed files. The issue was that macOS binaries can have more than one version of the binary bundled in a file -- one for different CPU architectures -- and only the first version of the binary has its signature checked by a known certificate authority (CA).

As a result, an attacker can bypass certain types of checks that require a binary signed by a known CA by bundling a legitimately signed binary in with a malware file that is signed with a self-signed certificate. In that case, the authentically signed binary would be mixed in with the malware. Apple has since updated their developer documentation to explain this exploit to developers.

The vulnerability requires specific conditions to work, and there have been no indications that the vulnerability has been actively exploited. Okta worked with the CERT Coordination Center to notify the vendors they identified as vulnerable, and those vendors have also updated their software to address this vulnerability.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in November 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How do you think this recent macOS malware vulnerability will influence the digital signature process?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close