MacOS Bypass Flaw Lets Attackers Sign Malicious Code as Apple
A security bypass weakness in macOS APIs let attackers impersonate Apple to sign malicious code and evade third-party security tools.
By Kelly Sheridan | June 12, 2018
When is Apple-signed code not actually signed by Apple? When a hacker can manipulate the code-signing process to impersonate Apple and sign off on malicious code, bypassing common third-party security tools and tricking users into thinking illegitimate software is verified.
Such a bypass attack has been possible for years on macOS and older versions of OS X, thanks to a flaw in Apple code-signing APIs, explains Josh Pitts, staff engineer for research and exploitation at Okta.
…
Affected Vendors and Available Patches:
Security tools built into macOS are not exposed, and affected vendors and open-source projects have been alerted to the bypass, Okta reports. Developers are responsible for properly using the code-signing API, and POCs are released to help test their code.
Here are the affected vendors:
VirusTotal (CVE-2018-10408)
Google – Santa, molcodesignchecker (CVE-2018-10405)
Facebook – OSQuery (CVE-2018-6336)
Objective Development – LittleSnitch (CVE-2018-10470)
F-Secure – xFence, also LittleFocker (CVE-2018-10403)
Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer, others (CVE-2018-10404)
Yelp – OSXCollector (CVE-2018-10406)
Carbon Black – Cb Response (CVE-2018-10407)
Mac users should apply all necessary fixes to protect against malicious software that tries to manipulate the code-signing process. “If enterprises are using illicit software, they need to update,” Pitts emphasizes.
Read the full article here
