Malicious Mac Apps Could Appear To Be Signed By Apple Problem Existed Since 2007

A security problem that has existed for eleven years means that malicious Mac apps could appear to be signed by Apple, fooling many of the tools designed to detect them.

The problem – caused by unclear guidance by Apple – meant that malware could be whitelisted in a wide range of tools used by individuals and companies alike …

ArsTechnica explains the issue.

In other words, you could have a file that contained a legitimate version of an app for PPC, and malware for Intel, and the tools would be fooled into applying the PPC whitelisting to the Intel version too. That malware would then be appear to be signed by Apple.

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too. Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall (see below), Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See.

The problem, says security researcher Patrick Wardle – whose own Objective-See apps were caught out – is that Apple’s documentation was unclear.

Apple has now clarified the documentation, which should result in the developers of the third-party tools fixing the problem.

“To be clear, this is not a vulnerability or bug in Apple’s code… basically just unclear/confusing documentation that led to people using their API incorrectly,” Wardle told Ars. “Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).”

Update: Little Snitch tells us that although its firewall would show the app as valid, it would flag a mismatch when a malicious app requested a network connection. The default behavior in that situation would be that the connection would be blocked. It has now resolved the issue so that unsigned apps are no longer shown as valid. See their blog post for more details,=.