How does signed software help mitigate malware?
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this attack.
Okta Inc. researchers discovered a bypass that allows threat actors to create malware that can pose as legitimate software files signed by Apple. What is this bypass and who does it affect?
Because regular users sometimes find it difficult to know what is and isn't safe on the internet or when installing software, software developers are increasingly signing their software -- something many operating systems require before letting new software run or be installed on a device.
However, using signed software doesn't always prevent malware from bypassing software signature verification, as regular users often have don't know how to authenticate signed software. In addition, advanced IT professionals and software developers don't always know how to validate signed software for each operating system or the different versions of signing software.
Josh Pitts, a staff engineer on the research and exploitation team at Okta, blogged about malware bypassing third-party code signing verifications. In this case, the vulnerability is not in Apple's systems, but rather in the way third parties use the APIs for authenticated signed software.
The researchers at Okta discovered that several software vendors had misunderstood how to use code-signing APIs to check signatures on signed files. The issue was that macOS binaries can have more than one version of the binary bundled in a file -- one for different CPU architectures -- and only the first version of the binary has its signature checked by a known certificate authority (CA).
As a result, an attacker can bypass certain types of checks that require a binary signed by a known CA by bundling a legitimately signed binary in with a malware file that is signed with a self-signed certificate. In that case, the authentically signed binary would be mixed in with the malware. Apple has since updated their developer documentation to explain this exploit to developers.
The vulnerability requires specific conditions to work, and there have been no indications that the vulnerability has been actively exploited. Okta worked with the CERT Coordination Center to notify the vendors they identified as vulnerable, and those vendors have also updated their software to address this vulnerability.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)