A newly discovered vulnerability, which has been around for 15 years, has the ability to allow security products for Mac to overlook malware and assume it is Apple code.
As Lorenzo Franceschi-Bicchierai from Motherboard notes, the issue is not with MacOS but with how third-party security tools implemented Apple’s APIs. Josh Pitts, the researcher who discovered the flaw, told Motherboard, “I can take malicious code and make it look like it’s signed by Apple.”
Franceschi-Bicchierai explains that code-signing verifies that files are signed with digital certificates, indicating the code is valid and comes from the firm that signed it. “In the case of Apple’s MacOS, if a file is signed by Apple, the computer is programmed to trust it. But Pitts found that he could bundle malicious files with legitimate Apple-signed code and effectively make the malware look like it was signed by Apple. That way, some third-party tools did not detect the malware,” reports Franceschi-Bicchierai.
Margi Murphy from The Telegraph writes, “The exploit could allow a hacker to install malicious software on devices like MacBooks to access personal, financial and sensitive insider information by fooling security products into thinking it is safe.”
The security tools flagged as vulnerable–but which reportedly already have released patches–include Google Santa, Facebook OSquery, Little Snitch, xFence, Yelp’s OSXCollector, Carbon Black’s Cb Response, and several Objective See’s tools.
Get the full story at Motherboard.