Software meant for Apple could have been a Malware went unnoticed for 10 years
Security specialists on Tuesday revealed a technique that could’ve enabled hackers to bypass a wide range of extensive commercial products to protect Apple devices from malware. While there’s no confirmation the bypass was ever used malignantly, the issue went unnoticed for over 10 years.
The question now is how vendors like Google and Facebook look at this vulnerability since they have confirmed the origin of code hasn’t been compromised. The tools created by these organizations and a few others utilize official code-marking APIs to affirm that code can be trusted. The technique being utilized was imperfect, in any case, making it simple for a hacker to go off code as though it had been marked by Apple—to take on the appearance of Apple, at the end of the day?
The issue was found by security firm Okta in February 2018. Apple was reached soon after this and developers were accordingly informed. Okta said that the affected vendors include: Google, Facebook, VirusTotal, Objective-See, Objective Development, Yelp, Carbon Black and F-Secure.
Code-signing is a security mark whereby cryptographically created signature is used to confirm and verify the code. The code is carefully marked using a private key known just to the author. This is combined with an open key, which anybody can use to check that code was marked utilizing the creator’s private key. However, the procedure utilized by security sellers to check the marks was imperfect, hypothetically enabling the hacker to impersonate Apple.
“Different types of tools and products use code signing to implement actionable security; this includes whitelisting, antivirus, incident response, and threat hunting products,” Okta engineer Josh Pitts wrote on a blog. “To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security operations.” (The nuts and bolts of the issue are disclosed by Pitts here.)
The problem, which may or may not have ever been exploited, was discovered, reported, and disclosed within a period of time. All that’s left really is a little finger-pointing.
In remarks published by Okta, Apple seems to indicate it was the developers’ fault for not running the checks properly. The developers, meanwhile, say that Apple’s documentation—which has supposedly been updated—was both confusing and unclear. Given the wide range of products affected, the latter seems more than likely.
Applauding the researchers, a spokesperson for F-Secure said the company pushed an automatic update on Saturday fixing the issue for users of its XFENCE utility. This is the sort of research and process that result in better security for all.”
Julia Sowells250 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.