Hackers Could Bypass macOS Signature Checks for A Decade

Code signing is one of the most important lines of defense against malware. It allows a user to know that the software they intend to install or run came from a trusted source, such as Apple, or another trusted developer. While code signing is not a 100% foolproof method, since some malware authors will burn legitimate developer IDs to sign their code, it’s generally a very strong safety feature. Code signed by Apple would be considered especially trustworthy, since no one would be able to spoof Apple’s private key. As it turns out, hackers have relied on this inherent trust to exploit poor security implementations in a wide-ranging number of third-party security apps.

Since the 2007 release of OS X Leopard, it seems that confusing language in Apple’s API documentation led many developers, including those of the Little Snitch Firewall, to improperly implement code signing verification. The exploit was surprisingly simple and relied on the Universal file format Apple uses to allow some applications to run on different types of Macs. By bundling together several code binaries in one package and including Apple-signed code at the top, these third-party security applications would read the entire bundle as signed by Apple.

Put another way, malicious code could wear the mask of legitimacy by showing something signed by Apple to these programs first. They would not investigate deeper into the file and thus would fail to realize that a potentially malicious and unsigned payload lurked beneath the facade. Since the bad guys wouldn’t need to steal a legitimate certificate from anywhere and only needed to include something already signed by Apple, this would have been trivial to exploit. For now, there are no clear known examples of malware exploiting this loophole to attack users.

The good news: this isn’t a bug in macOS itself. In fact, Apple’s own built-in security checks recognize this exploit and prevent it from working altogether. After receiving word of the problem, Apple updated its developer documentation to make mitigating this risk clearer for third parties. The ability to stop it has always existed — it simply wasn’t clear that it was necessary! Developers have already begun creating patches to correct signing verification, so if you use third-party firewall apps and other, similar software, keep an eye out for those updates.