Get in Touch
Back to main blog page

I’m Spartacus

13th June 2018 | posted by David Acland

Apple CodeSigning vulnerability

A new vulnerability has been announced in the tech news this week that can fool security software into thinking malicious software is digitally signed by Apple (i.e. “Apple approved”), marking it as safe.

This isn’t an Apple vulnerability, and the macOS is no more or less vulnerable than it was before.  The issue is with specific security software titles that misunderstood Apple programming guidelines and are reporting software as “Signed by Apple”, when it may not be.

Below are a list the affected vendors (or at least the ones we know about):

  • VirusTotal – CVE-2018-10408
  • Google – Santa, molcodesignchecker – CVE-2018-10405
  • Facebook – OSQuery – CVE-2018-6336
  • Objective Development – LittleSnitch – CVE-2018-10470
  • F-Secure  – xFence (also LittleFlocker) CVE-2018-10403
  • Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404
  • Yelp – OSXCollector – CVE-2018-10406
  • Carbon Black – Cb Response – CVE-2018-10407


What does “signed by Apple” mean?

If a binary file has been “signed by Apple”, it means that the developer has signed up for an account with Apple, and can digitally sign the executable files on their behalf.  The digital signature is a string of digits that is mathematically generated from the developers private Apple signing key and the contents of the binary file.  If the file is modified in any way, or a “fake” key is used, the signature won’t match and the file will be flagged as “untrusted” (or at least, it should be).

This is very similar to the signature you find in SSL certificates used by HTTPS websites.  When you connect to a website using HTTPS, if the certificate has been changed in any way, the signature won’t match and you will be presented with a warning.  This all relies on the browser performing the right checks to identify whether the the signature is valid or not.


What is the issue

The issue is in two parts.  The first issue is the “whitelisting” approach some security products take.  Checking every single binary file on a Mac for malicious code can be time consuming, so lots of security products speed up the process by automatically trusting files that are digitally signed by Apple.  It means they only need to do deeper checks on files that aren’t signed.

This should be a safe thing to do, assuming you are actually verifying that the signature is valid.  The second part of the vulnerability is the method the security products are using to check the Apple digital signature.  There’s lots of deeper technical explanations on the issue in the links below, but in short, the checks are not being performed correctly, and the files are marked as “signed”, even if they aren’t.


Why did this happen?

This isn’t a vulnerability from Apple, but rather a breakdown in communication that meant some security vendors implemented a verification check incorrectly.  The affected security software could mark malicious programs as “safe”.  The risk depends on how much an organisation or individual relies on the security software to protect them.

Patrick Wardle, a developer, explained that the issue was due to ambiguous documentation provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: “To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly.”

On the 29th March, Apple stated “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”.  Meaning security vendors need to check the signature properly, and not just assume that because one part of a binary file is signed correctly, that the rest of it is.


What can you do?

If you use any of the above affected products, make sure you update them to their latest versions.  It is possible that there are more applications are affected, so if you are in any doubt about a particular piece of software you are using, check with the vendor to ensure they are using the correct code signing checks.


More information

Leave a Reply

Your email address will not be published.

Other Articles

Mac startup flashing folder
Catalina boot-up issues on some older Macs
19th November 2019

There’s been a number of reports Catalina boot-up issues on some older Macs after running…

5 tips to keep your Mac running smoothly
22nd January 2018

We have all been there where your Mac starts to run a bit slower than…

Security Vulnerability with FaceTime
29th January 2019

9to5mac revealed yesterday ( that FaceTime running on iOS has a major security vulnerability.  Using…

Case Study – Moorhouse Consulting
7th May 2020

Moof have been working with Moorhouse for over 4 years, the CFO Jon Russell was…

blog image
Meraki, Apple Classroom and ‘Not-shared’ shared iPads
13th June 2018

Hi all, and welcome to yet-another, “I figured out something for a client and thought…

About moof IT

moof IT are an Apple focused IT company providing a full range of services to over 150 clients including user support, device management, infrastructure and security.

Contact Info

Tel: 0203 983 4444


London: 1st Floor 20 Noel Street London W1F 8GW

Manchester: The Sharp Project, Thorp Rd, Manchester M40 5BJ

Surrey: Unit 9B, Southbridge House, Southbridge Place, Croydon CR0 4HA

Social Media