Researchers at the Okta security company revealed a code signing flaw in macOS and OS X that undermines the operating systems’ basic defenses. The company said this flaw affects “all third-party security, forensics, and incident response tools that used the official code signing API.” This means tools from Google, Facebook, and other companies won’t be able to tell if malicious software is, well, malicious.
Code signing effectively serves as a stamp of approval. If software has been signed by Apple, for example, security tools will believe that it came from a trusted source and hasn’t been modified. Okta researchers discovered that a flaw in macOS and some versions of OS X allows hackers to make it seem like their malicious and unsigned software (which obviously has not been vetted) was actually signed by Apple.
Here’s what Okta said about its discovery in a blog post:
“By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability.”
Yet it seems that Apple doesn’t consider this a problem it has to address. According to Okta’s timeline of this flaw’s discovery and disclosure, which you can find in the full technical analysis, Apple “stated they did not see this as a security issue that they should directly address.” Okta first shared news of this flaw with Apple on February 20; it decided to go public with the issue after informing affected companies of the flaw.
Apple purportedly told Okta that it would update its documentation to be clearer about this flaw’s causes. The company also said that “third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.” In the meantime, a foundational aspect of macOS and OS X security could be undermined without many people knowing it.