Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.


The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

Ars Technica broke down how the method was used and which third-party tools are affected:

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too.

Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See. Many companies and individuals rely on some of the tools to help implement whitelisting processes that permit only approved applications to be installed on a computer, while forbidding all others.

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

Top Rated Comments

(View all)
Avatar
27 months ago
These companies are prioritizing speed for security. We can assume they'll now implement proper checks, but it will come at the cost of speed.

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
Score: 12 Votes (Like | Disagree)
Avatar
27 months ago
Wow, but somehow, I'm less concerned about the security threat than I am excited to have discovered the job title "Senior Penetration Testing Engineer". ...someone's up for a performance review & promotion!
Score: 6 Votes (Like | Disagree)
Avatar
27 months ago
Does Apple give a damn?? Obviously not. It's focused now on important kindergarten stuff like animojis and AR gimmicks.
Score: 5 Votes (Like | Disagree)
Avatar
27 months ago
This is very bad. Thank goodness for white-hats who find this stuff out.
Score: 4 Votes (Like | Disagree)
Avatar
27 months ago


I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.

It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
Score: 4 Votes (Like | Disagree)
Avatar
27 months ago

It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.

No, it's really not. It's the developers responsibility to use the proper security procedures in their app. Is it the states fault that people fail to follow speed limit signs?
Score: 2 Votes (Like | Disagree)

Top Stories

Apple Officially Obsoletes First MacBook Pro With a Retina Display

Wednesday July 1, 2020 3:40 am PDT by
As expected, Apple's first MacBook Pro with a Retina display is now officially classed as "obsolete" worldwide, just over eight years after its release. In a support document, Apple notes that obsolete products are no longer eligible for hardware service, with "no exceptions." This means that any mid-2012 Retina MacBook Pro 15-inch models still out there that require a battery or other...

New Mac Ransomware Found in Pirated Mac Apps

Tuesday June 30, 2020 11:44 am PDT by
There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum. Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer...

Unreleased iMac With 10-Core Comet Lake-S Chip and Radeon Pro 5300 GPU Shows Up in Geekbench

Wednesday July 1, 2020 10:48 am PDT by
Benchmarks for an unreleased iMac equipped with a 10th-generation Core i9 Intel Comet Lake-S chip and an AMD Radeon Pro 5300 graphics card have surfaced, giving us an idea of what we can expect from a refreshed 2020 iMac. The Geekbench benchmarks, which appear to be legit, were found on Twitter and shared this morning by Tom's Hardware. The iMac in the benchmarks would be a successor to the...

Leaker: Future iPhone Models to Come in 'Exquisite' Thinner Box

Wednesday July 1, 2020 1:57 am PDT by
Leaker L0vetodream this morning posted a tweet corroborating recent rumors that Apple's "iPhone 12" lineup won't come with EarPods or a charger in the box, adding that this will also eventually apply to the existing second-generation iPhone SE. L0vetodream also claims that future iPhone packaging will be "thinner" and "exquisite," which would make sense if Apple's handsets are set to come in ...

Apple's A12Z Under Rosetta Outperforms Microsoft's Native Arm-Based Surface Pro X

Monday June 29, 2020 10:31 am PDT by
Apple's Developer Transition Kit equipped with an A12Z iPad Pro chip began arriving in the hands of developers this morning to help them get their apps ready for Macs running Apple Silicon, and though forbidden, the first thing some developers did was benchmark the machine. Multiple Geekbench results have indicated that the Developer Transition Kit, which is a Mac mini with an iPad Pro chip, ...

Kuo: iPhone 12 Models Won't Include Charger in Box, 20W Power Adapter Will Be Sold Separately

Sunday June 28, 2020 7:56 am PDT by
iPhone 12 models will not include EarPods or a power adapter in the box, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. This lines up with a prediction shared by analysts at Barclays earlier this week. Kuo said that Apple will instead release a new 20W power adapter as an optional accessory for iPhones and end production of its existing 5W and 18W power adapters...

Rosetta 2 Benchmarks Surface From Mac Mini With A12Z Chip

Monday June 29, 2020 7:48 am PDT by
While the terms and conditions for Apple's new "Developer Transition Kit" forbid developers from running benchmarks on the modified Mac mini with an A12Z chip, it appears that results are beginning to surface anyhow. Image Credit: Radek Pietruszewski Geekbench results uploaded so far suggest that the A12Z-based Mac mini has average single-core and multi-core scores of 811 and 2,781...

Display Analyst Once Again Says No 120Hz ProMotion Display Coming to iPhone 12 Pro

Wednesday July 1, 2020 11:29 am PDT by
Apple's iPhone 12 models will not feature an upgraded 120Hz ProMotion display, according to display analyst Ross Young. Young previously said that Apple would not implement ProMotion technology until it adopted low-power LTPO display technology, a move Apple is not expected to make until 2021. In a tweet shared this morning, Young said that the none of his contacts have been able to...

Apple Seeds Third Betas of iOS and iPadOS 13.6 to Developers [Update: Public Beta Available]

Tuesday June 30, 2020 10:06 am PDT by
Apple today seeded the third betas of upcoming iOS and iPadOS 13.6 updates to developers, three weeks after seeding the second betas and over a month after releasing iOS/iPadOS 13.5 with Exposure Notification API, Face ID updates, Group FaceTime changes, and more. iOS and iPadOS 13.6 can be downloaded from the Apple Developer Center or over the air once the proper developer profile has been...

The New York Times Ends Apple News Partnership and Pulls All Articles

Monday June 29, 2020 11:17 am PDT by
The New York Times today announced that it is pulling out of Apple News, as the service does not "align with its strategy of building direct relationships with paying readers." Starting today, articles from The New York Times will no longer show up in the Apple News app. The news site says that Apple has given it "little in the way of direct relationships with readers" and "little control...