INFRA
INFRA
INFRA
Mac security vulnerability via outside apps opened the door to hacking
A security flaw in the way outside applications tie into an Apple Inc. application programming interface in versions of Mac operating system code, going back more than a decade, has been revealed for the first time.
Discovered by researchers at identity management firm Okta Inc., the flaw is described as a bypass ability found in third-party developers’ interpretation of Apple’s code signing API that allows unsigned malicious code to appear to be signed by Apple.
The flaw was introduced to OS X and later macOS via products from companies such as Facebook Inc., Google Inc. and Yelp Inc. and security software from Carbon Black Inc. and F-Secure Corp.
More specifically, according to Ars Technica, “the technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple… [allowing] anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.”
Rod Soto, director of security research at JASK Inc., told SiliconANGLE that “Apple has always been known to be one of the most secure development platforms, with past incidents indicating that only professional criminals or nation-state groups (with extensive resources) could perform these types of attacks.”
“However, this new report suggests that by obtaining a developer certificate and abusing third-party application code signing, malicious actors can carry out attacks seamlessly,” Soto added. “It would be encouraging if, following this disclosure, Apple performed an App Store-wide audit to ensure it isn’t vulnerable to hackers going forward.”
All companies involved in introducing the vulnerability were informed of it prior to details being published. Facebook, Google and FSecure said they have addressed it in recent updates. Yelp said that it has implemented an interim solution that involves disabling the code signing check functionality that can be bypassed by this vulnerability until a more comprehensive fix can be released.
Apple pointed the finger at third-party developers, saying that they “need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result.”
Photo: choubistar/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
