“For almost 11 years, hackers have had an easy way to get macOS malware past the scrutiny of a host of third-party security tools by tricking them into believing the malicious wares were signed by Apple, researchers said Tuesday,” Dan Goodin writes for Ars Technica.
“Digital signatures are a core security function for all modern operating systems. The cryptographically generated signatures make it possible for users to know with complete certainty that an app was digitally signed with the private key of a trusted party. But, according to the researchers, the mechanism many macOS security tools have used since 2007 to check digital signatures has been trivial to bypass. As a result, it has been possible for anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps… Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See.”
“Patrick Wardle, the developer of the Objective-See tools and Chief Research Officer at Digita Security, said third-party tools including his own can almost always be bypassed when hackers directly or proactively target them,” Goodin writes. “‘To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly,’ Wardle told Ars. ‘Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).'”
Read more in the full article here.
MacDailyNews Take: So, here’s to third-party developers invoking the API provided by Apple with a more comprehensive flag (that was always available)!