Security News Mac Security Tool Bugs Allow Malware to Appear as Apple Software

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A bug existed in third-party Mac security programs from Facebook, Google, VirusTotal, and more that allow malware to appear as legitimate programs code-signed by Apple. This bug is caused by the method the applications use to check if an executable is properly signed. This allows attackers to craft specially designed malware executables that could appear as signed by Apple even when they are not.


When a developer code-signs an application, it embeds a signature into the executable that can be used to verify that the application has not been tampered with and that it is from the organization you expect it to be from. Some security utilities use these embedded signatures as a way to whitelist executables and users use them as a way to feel assured that a program is safe to execute.


For example, if a program has a signature showing it was signed by Apple, you may feel more comfortable executing it, rather than an application that is not signed and provides no indication where it came from.
Affected Programs

In order to coordinate disclosure of this issue with 3rd party application vendors, Okta and Pitts contacted the CERT Coordination Center (CERT/CC). Along with CERT/CC all known third-party vendors were contacted prior to the disclosure of this bug. Pitts also provided a sample of a malicious Fat file that can be used by vendors to test their products.

The research stated that the following vendors and their applications were affected. I have also include the known updates to these tools that resolve the vulnerability.

  • VirusTotal – CVE-2018-10408
  • Google – Santa, molcodesignchecker – CVE-2018-10405 [Fixed in Santa .0.9.25]
  • Facebook – OSQuery - CVE-2018-6336 [Fixed in 3.2.7]
  • Objective Development – LittleSnitch – CVE-2018-10470 [Fixed in Nightly Build 4.1 (5165]
  • F-Secure - xFence (also LittleFlocker) CVE-2018-10403
  • Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404 [WhatsYourSign 1.5.0]
  • Yelp - OSXCollector – CVE-2018-10406
  • Carbon Black – Cb Response – CVE-2018-10407

While the above is a list of known third-party application, Pitts expects that many other applications are also vulnerable.
For any vendor information that is missing above, feel free to contact us and we will update the above list with your info.
 
  • Like
Reactions: upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top