Wednesday 3 October 16:30 - 17:00, Green room
Thomas Reed (Malwarebytes)
Macintosh applications are almost always code signed today, which is a very good thing. Unfortunately, there is a serious flaw in how macOS handles code signatures that can lead to a false sense of security. Most Mac users, and even most Mac admins, are unaware of these flaws.
Because macOS checks code signatures very infrequently, it is easily possible to hijack a legitimate application that is already installed on the system without triggering any kind of code signature check. Worse, most developers are not aware of this, and do not add their own code signature self-checks. This means that there are countless vulnerable Mac applications in existence on the market.
This is extremely easy to exploit, as will be demonstrated. Fortunately, there are also steps that will be described that developers can take to prevent their apps from being abused in this manner, as well as some ways that admins can flag potential problems with applications on their endpoints, or that techs can use while troubleshooting issues.
Although there is currently no malware known to be taking advantage of this issue, it could easily happen in the future. As macOS appears to be behaving as designed, it will fall on the shoulders of developers to ensure their apps are not vulnerable to such threats.
Thomas Reed has been a Mac user since 1984, and is a self-taught developer and security researcher. He is the founder of The Safe Mac and creator of the AdwareMedic adware removal tool for Macs. He is currently Director of Mac & Mobile at Malwarebytes, where he directs product development and Mac security research. His hobbies include hiking and photography, and he is happily married with four children.
Siegfried Rasthofer (Fraunhofer SIT)
Stephan Huber (Fraunhofer SIT)
Steven Arzt (Fraunhofer SIT)
Jay Rosenberg (Intezer Labs)
Itai Tevet (Intezer Labs)
Thais Moreira Hamasaki (F-Secure)