Bypass glitch makes Mac OS vulnerable due to improper code-signing implementation

A bypass found in third party developers’ interpretation of code signing API allowed for unsigned malicious code to appear to be signed by Apple. All the third-party vendors have issued patch once they realized that their software was not interacting correctly with the Apple’s code-signing API. Without the patch, attackers can craft malicious code and secretly hide it under the software bypassing the code-signing process, making it appear to be a legitimate code which is approved by Apple.

What is code-signing?

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The signed-code is considered as key for whitelisting, antivirus and malware hunting. So once a block of code is signed it is not investigated deeply for any breach or cyber attack.

Okta, which reported the vulns, explained that in macOS, code-signing focuses on Mach-O files, which target a specific native CPU architecture within the Mac ecosystem. The bypass involves a lack of code-signing verification for Mach-O files that are gathered (or “nested”) into the Fat/Universal file format.

“This vulnerability exists in the difference between how the Mach-O loader loads signed code, versus how improperly used code-signing APIs check signed code,” explained Josh Pitts, staff engineer for Research and Exploitation at Okta, in an analysis released on Tuesday.

All the third party vendors had been notified about the above scenario and hence they have taken necessary step to remove the flaw from their code-signing flaws. However, there may still be many third party tools which are still not using code-signing APIs correctly.