I Snuck a Bad Apple into the Basket, and Nobody Noticed

Imagine the havoc a sophisticated threat actor could wreak by tricking a user into downloading and executing malicious code that current security products deem as safe. They can get access to personal data, financial details, or sensitive insider information. That scenario is precisely what could happen based on new research published today from Okta’s Research and Exploitation Team (REX).

Okta REX has discovered a vulnerability in what is known as ‘code signing,’ effectively allowing any bad actor to impersonate Apple and allow malicious code to live undetected in a macOS machine indefinitely (or at least until it’s re-imaged or the offending file is removed). Today 91% of enterprises use Macs and depend on vendors like Carbon Black, Facebook, and Google to provide them with security tools to protect their environments. That trend is growing every year. People and businesses use Macs for many reasons; ease of use and security are chief among them.

Okta REX Staff Researcher Josh Pitts was able to create a malformed program that, to the security products we depend on to tell us when some code is bad, would look like it’s been authorized by Apple itself. This vulnerability takes advantage of ‘code signing,’ the standardized process of using public key infrastructure to digitally ‘sign’ compiled code or even scripting languages – making a FAT file look like it came from a trusted origin (i.e., that it’s gotten the stamp of approval from Apple) and that the deployed code has not been modified.

All third-party security, forensics, and incident response tools that used the official code signing API are affected. We’ve worked with the top security vendors in this space, including Google (Santa) and Facebook (OSquery), as well as tools like Carbon Black, VirusTotal, and Objective-See tools like WhatsYourSign, ProcInfo, KnockKnock, LuLu, and TaskExplorer (among several others).

By exploiting this vulnerability, threat actors can trick even the most security-savvy people and bypass a core security function that most end users don’t know or think about as they go about their digital activities. And, with the proliferation of apps for the workplace and personal use in everybody’s daily lives, bad actors can easily abuse this vulnerability.

For the full technical breakdown of this vulnerability, check out Josh’s post on our security blog.