Apple CodeSigning vulnerability
A new vulnerability has been announced in the tech news this week that can fool security software into thinking malicious software is digitally signed by Apple (i.e. “Apple approved”), marking it as safe.
This isn’t an Apple vulnerability, and the macOS is no more or less vulnerable than it was before. The issue is with specific security software titles that misunderstood Apple programming guidelines and are reporting software as “Signed by Apple”, when it may not be.
Below are a list the affected vendors (or at least the ones we know about):
- VirusTotal – CVE-2018-10408
- Google – Santa, molcodesignchecker – CVE-2018-10405
- Facebook – OSQuery - CVE-2018-6336
- Objective Development – LittleSnitch – CVE-2018-10470
- F-Secure - xFence (also LittleFlocker) CVE-2018-10403
- Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404
- Yelp - OSXCollector – CVE-2018-10406
- Carbon Black – Cb Response – CVE-2018-10407
What does “signed by Apple” mean?
If a binary file has been “signed by Apple”, it means that the developer has signed up for an account with Apple, and can digitally sign the executable files on their behalf. The digital signature is a string of digits that is mathematically generated from the developers private Apple signing key and the contents of the binary file. If the file is modified in any way, or a “fake” key is used, the signature won’t match and the file will be flagged as “untrusted” (or at least, it should be).
This is very similar to the signature you find in SSL certificates used by HTTPS websites. When you connect to a website using HTTPS, if the certificate has been changed in any way, the signature won’t match and you will be presented with a warning. This all relies on the browser performing the right checks to identify whether the the signature is valid or not.
What is the issue
The issue is in two parts. The first issue is the “whitelisting” approach some security products take. Checking every single binary file on a Mac for malicious code can be time consuming, so lots of security products speed up the process by automatically trusting files that are digitally signed by Apple. It means they only need to do deeper checks on files that aren’t signed.
This should be a safe thing to do, assuming you are actually verifying that the signature is valid. The second part of the vulnerability is the method the security products are using to check the Apple digital signature. There’s lots of deeper technical explanations on the issue in the links below, but in short, the checks are not being performed correctly, and the files are marked as “signed”, even if they aren’t.
Why did this happen?
This isn’t a vulnerability from Apple, but rather a breakdown in communication that meant some security vendors implemented a verification check incorrectly. The affected security software could mark malicious programs as “safe”. The risk depends on how much an organisation or individual relies on the security software to protect them.
Patrick Wardle, a developer, explained that the issue was due to ambiguous documentation provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: “To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly.”
On the 29th March, Apple stated “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”. Meaning security vendors need to check the signature properly, and not just assume that because one part of a binary file is signed correctly, that the rest of it is.
What can you do?
If you use any of the above affected products, make sure you update them to their latest versions. It is possible that there are more applications are affected, so if you are in any doubt about a particular piece of software you are using, check with the vendor to ensure they are using the correct code signing checks.