SECURITY OUTFIT Okta has uncovered a major security vulnerability in Apple's ‘code-signing' which, according to the firm, has the potential to affect all macOS users.
Found by Josh Pitts, a researcher on the Okta Research and Exploitation (REX) team, the Apple code-signing vulnerability is said to have allowed anyone - including a malicious actor - to impersonate Apple.
More specifically, by exploiting this vulnerability, a threat actor could trick third-party security tools into believing their code is Apple-approved, letting malicious code live on a macOS machine until it's patched.
"Through this method, a sophisticated threat actor could get access to personal data, financial details, or sensitive insider information," the company said in a statement.
"And, by exploiting this vulnerability, threat actors can bypass a core security function - and even the most vigilant security professionals - that most end users don't know or think about as they go about their digital activities. What this does, is break the chain of trust in code signed by Apple and in MacOS security that people often take for granted."
Code-signing is the standardised process of using public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin, and that the deployed code has not been modified. It is intended to provide a guarantee to end users that the code they are about to install does, indeed, come from who it says it comes and that it is bona fide.
This is a core security function that most end users don't know or think about as they run their everyday applications.
"With millions of consumers and more and more businesses using Mac everyday, the potential scope here is enormous," Okta added.
The REX researcher found that virtually all non-Apple developed, or 'third party' Apple-focused security products using the official Apple APIs didn't verify the cryptographic signature properly.
Pitts was thus able to create a malformed program that, to these security products, would look to be signed by Apple itself, thereby bypassing a core security feature in these products.
"This technique could, in a post-exploitation and/or phishing attack as a 2nd stage payload, allow for long-term persistence in plain sight," Okta explained. "After testing, [we] concluded that this technique bypassed the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple's own root certificate."
This security flaw could even have been abused since the 2005 introduction of OSX Leopard, as it takes advantage of OSX's multi-CPU architecture support.
"While we are not aware of any prior abuse of this technique by bad actors, we assess that it is highly possible given the ever-present desires to circumstance security in all forms," Okta warned.
With the help of US-CERT, all known affected vendors have been notified of the issue and Okta said it is publishing a public disclosure today to ensure the public is aware of this vulnerability. µ
Bad for shareholders, mildly good for the planet
YouTube on the Tube
Claims that it hasn't ever actually worked