INFRA
INFRA
INFRA
Mac security vulnerability via outside apps opened the door to hacking
A security flaw in the way outside applications tie into an Apple Inc. application programming interface in versions of Mac operating system code, going back more than a decade, has been revealed for the first time.
Discovered by researchers at identity management firm Okta Inc., the flaw is described as a bypass ability found in third-party developers’ interpretation of Apple’s code signing API that allows unsigned malicious code to appear to be signed by Apple.
The flaw was introduced to OS X and later macOS via products from companies such as Facebook Inc., Google Inc. and Yelp Inc. and security software from Carbon Black Inc. and F-Secure Corp.
More specifically, according to Ars Technica, “the technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple… [allowing] anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.”
Rod Soto, director of security research at JASK Inc., told SiliconANGLE that “Apple has always been known to be one of the most secure development platforms, with past incidents indicating that only professional criminals or nation-state groups (with extensive resources) could perform these types of attacks.”
“However, this new report suggests that by obtaining a developer certificate and abusing third-party application code signing, malicious actors can carry out attacks seamlessly,” Soto added. “It would be encouraging if, following this disclosure, Apple performed an App Store-wide audit to ensure it isn’t vulnerable to hackers going forward.”
All companies involved in introducing the vulnerability were informed of it prior to details being published. Facebook, Google and FSecure said they have addressed it in recent updates. Yelp said that it has implemented an interim solution that involves disabling the code signing check functionality that can be bypassed by this vulnerability until a more comprehensive fix can be released.
Apple pointed the finger at third-party developers, saying that they “need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”
Photo: choubistar/Flickr
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
