“Malware on Apple’s MacBook and iMac lines is more prevalent than some users realize; it can even hide in Apple’s curated Mac App Store. But the relatively strong defenses of macOS make it challenging for malware authors to persist long-term on Apple computers, even if they can get an initial foothold,” Lily Hay Newman writes for Wired. “Additionally, the avenues available for lurking on macOS are so well known at this point that technicians and malware scanners can flag them quickly. That’s why more subtle approaches are significant.”
“At the Virus Bulletin security conference in Montreal on Wednesday, Mac security researcher Thomas Reed is presenting one such potentially dangerous opening,” Newman writes. “When you launch an app installer in macOS, a program called Gatekeeper checks to see whether the app originated from the Mac App Store, or is cryptographically signed by a developer who has registered with Apple. All legitimate programs have to be ‘code signed’ to establish their validity and integrity. By checking a file’s code signature, Gatekeeper can warn you if a program is malware or if someone has tampered with an otherwise benign installer.”
“These code signature checks are a vital security step. But Reed, who is the director of Mac and mobile platforms at the security firm Malwarebytes, has noticed that once a program passes a code signature check and gets installed, macOS never rechecks its signature,” Newman writes. “This means that attackers who buy a legitimate certificate from Apple—or steal one—can potentially trick Mac users into installing their malware. And if it manages to infect other legitimate programs after being downloaded, it could evade detection indefinitely.”
Read more in the full article here.
MacDailyNews Take: To date, Newman reports that Reed hasn’t seen any malware that capitalizes on this, so hopefully, now that they know about it, Apple can close this hole before anything untoward happens.
Another magical golden unicorn of a trojan horse
I blame John Dingler, artiste, for creating me and using my bipolar ways to Jeckyl and Hyde my way into the malware business.
My artist business is just a front. I’m really a multi-million dollar Mac malware crime boss. I am admitting here because no-one will take it seriously and I’ll keep on getting away with it forever.
Suck on that, Al Crapone.
“These code signature checks are a vital security step”
Another MORE vital security step is
DON’T INSTALL EVERY FLASH UPDATER THAT GETS DOWNLOADED TO YOUR COMPUTER!
Oh, they don’t even think this is actually happening? Wow, I feel for the macOS security researchers, assigned to a life of writing about things that never happen…
This is NOT new. This vector was reported YEARS ago! Those of us who are really concerned about this have been dealing with it since it was originally reported.