Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.

macos code signing bypass
The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

Ars Technica broke down how the method was used and which third-party tools are affected:

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too.

Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See. Many companies and individuals rely on some of the tools to help implement whitelisting processes that permit only approved applications to be installed on a computer, while forbidding all others.

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

Top Rated Comments

OldSchoolMacGuy Avatar
32 months ago
These companies are prioritizing speed for security. We can assume they'll now implement proper checks, but it will come at the cost of speed.

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
Score: 12 Votes (Like | Disagree)
ThunderSkunk Avatar
32 months ago
Wow, but somehow, I'm less concerned about the security threat than I am excited to have discovered the job title "Senior Penetration Testing Engineer". ...someone's up for a performance review & promotion!
Score: 6 Votes (Like | Disagree)
skin88 Avatar
32 months ago
Does Apple give a damn?? Obviously not. It's focused now on important kindergarten stuff like animojis and AR gimmicks.
Score: 5 Votes (Like | Disagree)
slimtastic Avatar
32 months ago
This is very bad. Thank goodness for white-hats who find this stuff out.
Score: 4 Votes (Like | Disagree)
konqerror Avatar
32 months ago


I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.

It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
Score: 4 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
32 months ago

It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.

No, it's really not. It's the developers responsibility to use the proper security procedures in their app. Is it the states fault that people fail to follow speed limit signs?
Score: 2 Votes (Like | Disagree)

Top Stories

Apple Watc black friday 20 sale feature

Apple Black Friday 2020: Best Apple Watch Deals [Updated]

Wednesday November 25, 2020 4:01 pm PST by
Black Friday sales have begun on a variety of products, including the Apple Watch. There are quite a few deals across the Apple Watch lineup this year, including one of the lowest price we've ever seen the Apple Watch Series 3. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the...
AirPods Pro black friday 20 sale feature 2

Black Friday 2020: AirPods Pro Reach Lowest Price Ever [Updated]

Wednesday November 25, 2020 3:22 pm PST by
Black Friday has kicked off this week, and one of the first major sales for the AirPods Pro is available right now on Walmart. You can find this deal below, along with a few other solid discounts on the regular AirPods. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site...
windows 10

Developer Successfully Virtualizes Windows for Arm on M1 Mac

Friday November 27, 2020 7:16 am PST by
Developer Alexander Graf has successfully virtualized the Arm version of Windows on an M1 Mac, proving that the M1 chip is capable of running Microsoft's operating system (via The 8-Bit). Currently, Macs with the M1 chip do not support Windows and there is no Boot Camp feature as there is on Intel Macs, but support for Windows is a feature that many users would like to see. Using the...
General black friday 20 sale feature

Thanksgiving Day Deals Still Available on AirPods, M1 Macs, Apple Watch Series 6, iPads

Thursday November 26, 2020 10:21 am PST by
Black Friday deals seem to start earlier and earlier every year, so there were already a wide variety of discounts available for Apple products on Thanksgiving Day. Many of the deals remain available even after Thanksgiving, but act fast, as inventory quickly fluctuates. Thanksgiving Day Deals on Apple Products — Still Available:AirPods with a wireless charging case remain available for...
iPhone black friday 20 sale feature

Apple Black Friday 2020: Best iPhone Deals

Friday November 27, 2020 12:56 pm PST by
Black Friday is halfway done, but there are still a few deals to shop for on iPhones at carriers like AT&T, Verizon, and T-Mobile/Sprint. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. AT&T Starting with AT&T, you'll find up to $700 off any iPhone 12 when...
13 16 inch macbook pro air trio

Reliable Leaker Suggests Redesigned MacBooks in 2021 Will Include Both Apple Silicon and Intel Models

Wednesday November 25, 2020 9:15 am PST by
Reliable leaker known as "L0vetodream" has today suggested on Twitter that redesigned MacBooks coming in the second half of 2021 will include models with both Apple Silicon chips and Intel processors. The brief Tweet came in response to a MacRumors article from earlier today, which outlined a report from Ming-Chi Kuo claiming that Apple plans to release redesigned MacBook models with Apple ...
iphone trade in store

UK Environmental Committee Says Apple Contributing to 'Throwaway Culture' of 'Short-Lived Products'

Thursday November 26, 2020 7:07 am PST by
Technology companies like Apple are contributing to e-waste by making their products difficult to repair, and charging expensive repair fees, according to a lengthy report published today by the UK Parliament's Environmental Audit Committee. "We were told that Apple glues and solders parts together on their laptops, which makes repairing them very difficult," the Committee wrote in a summary ...
m1 chip macbook air pro

Kuo: Redesigned MacBooks With Apple Silicon to Launch in Second Half of 2021

Tuesday November 24, 2020 7:53 pm PST by
Apple plans to release additional MacBook models with Apple Silicon in the second half of 2021, according to analyst Ming-Chi Kuo, as part of the company's two-year transition away from Intel processors across its Mac lineup. In a research note today, obtained by MacRumors, Kuo said that these MacBook models will feature a new design. Kuo did not specify which models these will be, but he...
mac mini macbook pro macbook air

Apple M1 Hands-On Comparison: MacBook Air vs. MacBook Pro vs. Mac Mini

Monday November 23, 2020 3:40 pm PST by
Apple's M1 Macs are out in the wild now, but ahead of the holidays, you might still be trying to figure out which one to pick up, either for yourself or as a gift for someone else. We've got all three of the new Macs available, so we thought we'd give MacRumors readers a hands-on overview of each machine in our latest YouTube video. Subscribe to the MacRumors YouTube channel for more videos. ...
iPad Pro 5G and Mini LED feature

Rumored 2021 High-End iPad Pro May Feature 5G With mmWave Support

Thursday November 26, 2020 2:14 am PST by
Apple's rumored high-end iPad Pro models to be released next year will be 5G-enabled with mmWave support, according to sources cited by industry publication DigiTimes. Multiple rumors have suggested Apple is planning to release a high-end 12.9-inch iPad Pro with a mini-LED display next year, with the possibility that there will be an 11-inch mini-LED model too, but details beyond that have...