Security firm Okta claims to have uncovered a major security vulnerability in Apple's ‘code-signing' which, according to the firm, has the potential to affect all MacOS users.
Found by a researcher on the Okta Research and Exploitation (REX) team, Josh Pitts, the Apple "code-signing" vulnerability is said to allow anyone - including a malicious actor - to impersonate Apple.
More specifically, by exploiting this vulnerability, a threat actor could trick third-party security tools into believing their code is Apple-approved, letting malicious code live on a MacOS machine until it's patched.
What this does, is break the chain of trust in code signed by Apple and in MacOS security that people often take for granted
"Through this method, a sophisticated threat actor could get access to personal data, financial details, or sensitive insider information," the company said in a statement.
"And, by exploiting this vulnerability, threat actors can bypass a core security function - and even the most vigilant security professionals - that most end users don't know or think about as they go about their digital activities. What this does, is break the chain of trust in code signed by Apple and in MacOS security that people often take for granted."
Code-signing is the standardised process of using public key infrastructure to digitally sign compiled code or scripting languages to ensure a trusted origin, and that the deployed code has not been modified. It is intended to provide a guarantee to end users that the code they are about to install does, indeed, come from who it says it comes and that it is bona fide.
This is a core security function that most end users don't know or think about as they run their everyday applications.
"With millions of consumers and more and more businesses using Mac everyday, the potential scope here is enormous," Okta added.
The REX researcher found that virtually all non-Apple developed, or 'third party' Apple-focused security products using the official Apple APIs didn't verify the cryptographic signature properly.
Pitts was thus able to create a malformed program that, to these security products, would look to be signed by Apple itself, thereby bypassing a core security feature in these products.
"This technique could, in a post-exploitation and/or phishing attack as a 2nd stage payload, allow for long term persistence in plain sight," Okta explained. "After testing, [we] concluded that this technique bypassed the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple's own root certificate."
This security flaw could even have been abused since the 2005 introduction of OSX Leopard, as it takes advantage of OSX's multi-CPU architecture support.
"While we are not aware of any prior abuse of this technique by bad actors, we assess that it is highly possible given the ever-present desires to circumstance security in all forms," Okta warned.
With the help of US CERT, all known affected vendors have been notified of the issue and Okta said it is publishing a public disclosure today to ensure the public is aware of this vulnerability.
Okta have since clarified that the problem found is how third party vendors are checking Apple's code signing, rather than an issue with the Apple code itself.
Australian government to require technology and communications companies to provide access to messages
New bill avoids demanding 'backdoors' in encryption, but includes measures to compel companies to provide access to encrypted communications
Indonesian overclocker Ivan Cupa (with the aid of a lot of liquid nitrogen) achieves record overclock on AMD's latest Threadripper
Ssupermassive black hole is so big it corresponds to four per cent of the galaxy's total mass
Imminent attack will target a single bank with cloned cards used to fraudulently withdraw millions over one weekend