Get in Touch
Back to main blog page

I’m Spartacus

13th June 2018 | posted by David Acland

Apple CodeSigning vulnerability

A new vulnerability has been announced in the tech news this week that can fool security software into thinking malicious software is digitally signed by Apple (i.e. “Apple approved”), marking it as safe.

This isn’t an Apple vulnerability, and the macOS is no more or less vulnerable than it was before.  The issue is with specific security software titles that misunderstood Apple programming guidelines and are reporting software as “Signed by Apple”, when it may not be.

Below are a list the affected vendors (or at least the ones we know about):

  • VirusTotal – CVE-2018-10408
  • Google – Santa, molcodesignchecker – CVE-2018-10405
  • Facebook – OSQuery – CVE-2018-6336
  • Objective Development – LittleSnitch – CVE-2018-10470
  • F-Secure  – xFence (also LittleFlocker) CVE-2018-10403
  • Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404
  • Yelp – OSXCollector – CVE-2018-10406
  • Carbon Black – Cb Response – CVE-2018-10407


What does “signed by Apple” mean?

If a binary file has been “signed by Apple”, it means that the developer has signed up for an account with Apple, and can digitally sign the executable files on their behalf.  The digital signature is a string of digits that is mathematically generated from the developers private Apple signing key and the contents of the binary file.  If the file is modified in any way, or a “fake” key is used, the signature won’t match and the file will be flagged as “untrusted” (or at least, it should be).

This is very similar to the signature you find in SSL certificates used by HTTPS websites.  When you connect to a website using HTTPS, if the certificate has been changed in any way, the signature won’t match and you will be presented with a warning.  This all relies on the browser performing the right checks to identify whether the the signature is valid or not.


What is the issue

The issue is in two parts.  The first issue is the “whitelisting” approach some security products take.  Checking every single binary file on a Mac for malicious code can be time consuming, so lots of security products speed up the process by automatically trusting files that are digitally signed by Apple.  It means they only need to do deeper checks on files that aren’t signed.

This should be a safe thing to do, assuming you are actually verifying that the signature is valid.  The second part of the vulnerability is the method the security products are using to check the Apple digital signature.  There’s lots of deeper technical explanations on the issue in the links below, but in short, the checks are not being performed correctly, and the files are marked as “signed”, even if they aren’t.


Why did this happen?

This isn’t a vulnerability from Apple, but rather a breakdown in communication that meant some security vendors implemented a verification check incorrectly.  The affected security software could mark malicious programs as “safe”.  The risk depends on how much an organisation or individual relies on the security software to protect them.

Patrick Wardle, a developer, explained that the issue was due to ambiguous documentation provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: “To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly.”

On the 29th March, Apple stated “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”.  Meaning security vendors need to check the signature properly, and not just assume that because one part of a binary file is signed correctly, that the rest of it is.


What can you do?

If you use any of the above affected products, make sure you update them to their latest versions.  It is possible that there are more applications are affected, so if you are in any doubt about a particular piece of software you are using, check with the vendor to ensure they are using the correct code signing checks.


More information

Leave a Reply

Your email address will not be published.

Other Articles

Moof IT - How to Apply IT Security Macs
How to Apply an IT Security Policy on Your Macs
12th July 2021

With cybercrime on the rise, it is becoming increasingly important to ensure you have a…

blog img
Suppressing auto-update checks for Microsoft Visual Studio Code for Mac
15th January 2018

Released back in March 2016, Visual Studio is Microsoft’s own offering for Code editing, for…

16-inch MacBook Pro
How does the new 16-inch MacBook Pro compare with its predecessor?
13th November 2019

Some of you may be wondering what you get with the new 16-inch MacBook Pro,…

Why Prompt Patching is Vital for Cybersecurity
1st September 2021

Are you fed up with being told that keeping your organisation’s Macs up to date…

Should You Upgrade to the New macOS Monterey?
22nd November 2021

Apple delivers major macOS software updates every year. And, as you’d guess, the team at…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444


London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media