A security flaw in the way outside applications tie into an Apple Inc. application programming interface in versions of Mac operating system code, going back more than a decade, has been revealed for the first time.

Discovered by researchers at identity management firm Okta Inc., the flaw is described as a bypass ability found in third-party developers’ interpretation of Apple’s code signing API that allows unsigned malicious code to appear to be signed by Apple.

The flaw was introduced to OS X and later macOS via products from companies such as Facebook Inc., Google Inc. and Yelp Inc. and security software from Carbon Black Inc. and F-Secure Corp.

More specifically, according to Ars Technica, “the technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple… [allowing] anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.”

Rod Soto, director of security research at JASK Inc., told SiliconANGLE that “Apple has always been known to be one of the most secure development platforms, with past incidents indicating that only professional criminals or nation-state groups (with extensive resources) could perform these types of attacks.”

“However, this new report suggests that by obtaining a developer certificate and abusing third-party application code signing, malicious actors can carry out attacks seamlessly,” Soto added. “It would be encouraging if, following this disclosure, Apple performed an App Store-wide audit to ensure it isn’t vulnerable to hackers going forward.”

All companies involved in introducing the vulnerability were informed of it prior to details being published. Facebook, Google and FSecure said they have addressed it in recent updates. Yelp said that it has implemented an interim solution that involves disabling the code signing check functionality that can be bypassed by this vulnerability until a more comprehensive fix can be released.

Apple pointed the finger at third-party developers, saying that they “need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”

Photo: choubistar/Flickr