I Snuck a Bad Apple into the Basket, and Nobody Noticed

Matias Brutti
June 12, 2018

Imagine the havoc a sophisticated threat actor could wreak by tricking a user into downloading and executing malicious code that current security products deem as safe. They can get access to personal data, financial details, or sensitive insider information. That scenario is precisely what could happen based on new research published today from Okta’s Research and Exploitation Team (REX).

Okta REX has discovered a vulnerability in what is known as ‘code signing,’ effectively allowing any bad actor to impersonate Apple and allow malicious code to live undetected in a macOS machine indefinitely (or at least until it’s re-imaged or the offending file is removed). Today 91% of enterprises use Macs and depend on vendors like Carbon Black, Facebook, and Google to provide them with security tools to protect their environments. That trend is growing every year. People and businesses use Macs for many reasons; ease of use and security are chief among them.

Okta REX Staff Researcher Josh Pitts was able to create a malformed program that, to the security products we depend on to tell us when some code is bad, would look like it’s been authorized by Apple itself. This vulnerability takes advantage of ‘code signing,’ the standardized process of using public key infrastructure to digitally ‘sign’ compiled code or even scripting languages – making a FAT file look like it came from a trusted origin (i.e., that it’s gotten the stamp of approval from Apple) and that the deployed code has not been modified.

All third-party security, forensics, and incident response tools that used the official code signing API are affected. We’ve worked with the top security vendors in this space, including Google (Santa) and Facebook (OSquery), as well as tools like Carbon Black, VirusTotal, and Objective-See tools like WhatsYourSign, ProcInfo, KnockKnock, LuLu, and TaskExplorer (among several others).

By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability.

For the full technical breakdown of this vulnerability, check out Josh’s post on our security blog.

Tags

API security
Previous
Next

April 17, 2024

Okta Workflows Tutorial: Build a Connector for the OpenWeather API

By Max Katz
This tutorial will teach you how to build a connector for the OpenWeather API using the Okta Workflows Connector Builder. Connector for OpenWeather API What is…

Read now

April 17, 2024

What Is single sign-on (SSO)?

By Okta
Single sign-on (SSO) is an authentication tool that enables users to securely access multiple applications and services using one set of credentials,…

Read now

April 17, 2024

What Is an Identity platform?

By Okta
An Identity platform is a centralized framework that manages the digital identities of humans and devices, enabling organizations to authorize secure user…

Read now

April 16, 2024

Extend your passwordless journey to device login

By Cynthia Luu
Okta Device Access now supports passwordless login and FIDO2 YubiKeys for Desktop MFA Despite all the talk of driving workers back into the office, most…

Read now

April 15, 2024

Simple and secure user experiences: The latest on Okta Customer Identity Solution

By Ruchita Shah
Customer expectations are higher than ever, including access to the applications they need from any device, wherever they are in the world. Businesses are…

Read now