Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

by

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.

macos code signing bypass
The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

Ars Technica broke down how the method was used and which third-party tools are affected:

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too.

Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See. Many companies and individuals rely on some of the tools to help implement whitelisting processes that permit only approved applications to be installed on a computer, while forbidding all others.

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

Tag: Security

Popular Stories

apple launch feb 2025 alt

Here Are the New Apple Products We're Still Expecting This Spring

Thursday February 20, 2025 5:06 am PST by
Now that Apple has announced its new more affordable iPhone 16e, our thoughts turn to what else we are expecting from the company this spring. There are three product categories that we are definitely expecting to get upgraded before spring has ended. Keep reading to learn what they are. If we're lucky, Apple might make a surprise announcement about a completely new product category. M4...
Read Full Article61 comments
prioritize notifications ios 18 4

Everything New in iOS 18.4 Beta 1

Friday February 21, 2025 1:08 pm PST by
Apple finally released the first beta of iOS 18.4 to developers for testing purposes, and while the beta is lacking some of the Apple Intelligence features we were hoping for, there are some notable new additions. Subscribe to the MacRumors YouTube channel for more videos. Priority Notifications - Apple Intelligence There is a new Priority Notifications feature that can show you your most...
Read Full Article91 comments
Apple iPhone 16e Feature

Apple Announces iPhone 16e With A18 Chip and Apple Intelligence, Pricing Starts at $599

Wednesday February 19, 2025 8:02 am PST by
Apple today introduced the iPhone 16e, its newest entry-level smartphone. The device succeeds the third-generation iPhone SE, which has now been discontinued. The iPhone 16e features a larger 6.1-inch OLED display, up from a 4.7-inch LCD on the iPhone SE. The display has a notch for Face ID, and this means that Apple no longer sells any iPhones with a Touch ID fingerprint button, marking the ...
Read Full Article691 comments
ios 18 4 ambient music

iOS 18.4 Adds New Ambient Music Feature

Friday February 21, 2025 11:06 am PST by
In iOS 18.4, there's a new Ambient Music option that can be added to Control Center. There are four different sound categories, including Sleep, Chill, Productivity, and Wellbeing. Each category can be added to Control Center separately, and tapping one plays a random selection of sounds or music from that particular category. You can't choose what's playing from Control Center, but if...
Read Full Article39 comments
iphone 17 pro asherdipps

iPhone 17 Pro Models Rumored to Feature Aluminum Frame Instead of Titanium Frame

Tuesday February 18, 2025 12:02 pm PST by
Over the years, Apple has switched from an aluminum frame to a stainless steel frame to a titanium frame for its highest-end iPhones. And now, it has been rumored that Apple will go back to using aluminum for three out of four iPhone 17 models. In an investor note with research firm GF Securities, obtained by MacRumors this week, Apple supply chain analyst Jeff Pu said the iPhone 17, iPhone...
Read Full Article176 comments
iPhone 16e Feature

Apple Denies Speculation Surrounding iPhone 16e's Lack of MagSafe

Friday February 21, 2025 8:01 am PST by
Apple has confirmed that its custom-designed C1 modem in the iPhone 16e has nothing to do with the device's lack of MagSafe support, according to Macworld. Following the launch of the iPhone 16e, there was some speculation online about how MagSafe magnets might have interfered with the C1 modem's cellular connectivity performance, and this was considered to be a potential reason for the...
Read Full Article160 comments
Generic iOS 18

Here's When Apple Will Release iOS 18.4

Wednesday February 19, 2025 11:38 am PST by
Following the launch of the iPhone 16e, Apple updated its iOS 18, iPadOS 18, and macOS Sequoia pages to give a narrower timeline on when the next updates are set to launch. All three pages now state that new Apple Intelligence features and languages will launch in early April, an update from the more broader April timeframe that Apple provided before. The next major point updates will be iOS ...
Read Full Article46 comments
oppo find n5 fingers

World's Thinnest Foldable Phone Launches in Europe and Asia

Thursday February 20, 2025 8:55 am PST by
Oppo has launched the Find N5, the world's thinnest foldable phone yet. When closed, the book-style foldable measures 8.93mm. That's less than a millimeter thicker than an iPhone 16 Pro, and thinner than the Honor Magic V3, which was the previous record holder. The device is barely thicker than its USB-C port. Indeed, Oppo has suggested that the obstacle to making it any thinner is now "the...
Read Full Article178 comments

Top Rated Comments

OldSchoolMacGuy Avatar
OldSchoolMacGuy
88 months ago
These companies are prioritizing speed for security. We can assume they'll now implement proper checks, but it will come at the cost of speed.

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
Score: 12 Votes (Like | Disagree)
ThunderSkunk Avatar
ThunderSkunk
88 months ago
Wow, but somehow, I'm less concerned about the security threat than I am excited to have discovered the job title "Senior Penetration Testing Engineer". ...someone's up for a performance review & promotion!
Score: 6 Votes (Like | Disagree)
skin88 Avatar
skin88
88 months ago
Does Apple give a damn?? Obviously not. It's focused now on important kindergarten stuff like animojis and AR gimmicks.
Score: 5 Votes (Like | Disagree)
slimtastic Avatar
slimtastic
88 months ago
This is very bad. Thank goodness for white-hats who find this stuff out.
Score: 4 Votes (Like | Disagree)
konqerror Avatar
konqerror
88 months ago

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
Score: 4 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
OldSchoolMacGuy
88 months ago
It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
No, it's really not. It's the developers responsibility to use the proper security procedures in their app. Is it the states fault that people fail to follow speed limit signs?
Score: 2 Votes (Like | Disagree)
Read All Comments