Code signing flaw in macOS

Wednesday 3 October 16:30 - 17:00, Green room

Thomas Reed (Malwarebytes)



Macintosh applications are almost always code signed today, which is a very good thing. Unfortunately, there is a serious flaw in how macOS handles code signatures that can lead to a false sense of security. Most Mac users, and even most Mac admins, are unaware of these flaws.

Because macOS checks code signatures very infrequently, it is easily possible to hijack a legitimate application that is already installed on the system without triggering any kind of code signature check. Worse, most developers are not aware of this, and do not add their own code signature self-checks. This means that there are countless vulnerable Mac applications in existence on the market.

This is extremely easy to exploit, as will be demonstrated. Fortunately, there are also steps that will be described that developers can take to prevent their apps from being abused in this manner, as well as some ways that admins can flag potential problems with applications on their endpoints, or that techs can use while troubleshooting issues.

Although there is currently no malware known to be taking advantage of this issue, it could easily happen in the future. As macOS appears to be behaving as designed, it will fall on the shoulders of developers to ensure their apps are not vulnerable to such threats.

 

Thomas-Reed-web.jpg

Thomas Reed

Thomas Reed has been a Mac user since 1984, and is a self-taught developer and security researcher. He is the founder of The Safe Mac and creator of the AdwareMedic adware removal tool for Macs. He is currently Director of Mac & Mobile at Malwarebytes, where he directs product development and Mac security research. His hobbies include hiking and photography, and he is happily married with four children.

@thomasareed

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.