Third-party macOS security tool bug allowed malware to pass off as Apple software for over 10 years

Security researchers have discovered vulnerabilities that could have allowed hackers to disguise malware to look like legitimate Apple software. The flaws, which involved issues with code signing checks, were not found in MacOS. Instead, they were discovered in third-party security tools.

The cryptographically signed digital signatures act as security tools that allow users to know that an app is legitimate and has been signed by a trusted party using a private key.

However, the nearly decade-old flaw would have allowed hackers to easily bypass these code-signing checks, as well as the various security measures that have been employed by numerous MacOS security tools since 2007, Ars Technica reported.

“I can take malicious code and make it look like it’s signed by Apple,” Okta security researcher Josh Pitts who discovered the flaws, told Motherboard.

A program that has a signature showing it was signed by Apple would be appear to be more trustworthy and more likely to be executed by customers, rather than an application that isn’t signed.

The flaws could have duped MacOS security tools such as Google Santa, Yelp’s OSXCollector, Carbon Black’s Cb Response, Little Snitch, xFence, and Facebook’s OSquery, into believing that a malware was legitimate Apple code.

While the vulnerabilities do affect Apple’s software, the flaw is not one that exists in MacOS itself. Instead, the vulnerabilities are the result of how Apple’s APIs were implemented by third-party security tools.

Hackers often employ techniques that can help them bypass code-signing checks. In fact, the infamous Stuxnet malware, which targeted Iran’s nuclear systems in 2007, reportedly relied on exploiting digital signatures.

“To be clear, this is not a vulnerability or bug in Apple’s code... basically just unclear/confusing documentation that led to people using their API incorrectly,” Digita Security chief research officer, Patrick Wardle, told ArsTechnica. “Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).”

This is not the first time that methods used to bypass digital signature checks in third-party security tools have been discovered by security experts. According to security researcher Wardle, the developer of the Objective-See tools, hackers can bypass third-party tools in a targeted attack, including his own.

“If a hacker wants to bypass your tool and targets it directly, they will win,” Wardle told Ars Techninca.

Fortunately, patches are available for all the affected tools which means the issue can be fixed. A Google spokesperson confirmed that the tech giant had already patched Santa, Motherboard reported. Yelp, Facebook and F-Secure have already patched their tools as well.