For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks

Minimalist · Jun 12, 2018

For almost 11 years, hackers have had an easy way to get macOS malware past the scrutiny of a host of third-party security tools by tricking them into believing the malicious wares were signed by Apple, researchers said Tuesday.

Digital signatures are a core security function for all modern operating systems. The cryptographically generated signatures make it possible for users to know with complete certainty that an app was digitally signed with the private key of a trusted party. But, according to the researchers, the mechanism many macOS security tools have used since 2007 to check digital signatures has been trivial to bypass. As a result, it has been possible for anyone to pass off malicious code as an app that was signed with the key Apple uses to sign its apps.
Click to expand...

https://arstechnica.com/information...-macos-signature-checks-by-third-party-tools/

Rasheed187 · Jun 12, 2018

So much for Apple being more secure, seems like quite a big hole to me, no matter what they say.

Minimalist · Jun 12, 2018

It seems like only a "bug" in API documentation. They've updated documentation, 3rd party vendors will have to update their software. No software update from Apple necessary.

“To be clear, this is not a vulnerability or bug in Apple’s code... basically just unclear/confusing documentation that led to people using their API incorrectly,” Wardle told Ars. “Apple updated [its] documents to be more clear, and third-party developers just have to invoke the API with a more comprehensive flag (that was always available).”
Click to expand...

guest · Jun 12, 2018

Rasheed187 said: ↑

So much for Apple being more secure, seems like quite a big hole to me, no matter what they say.
Click to expand...

+1

More users, more hackers will be "attracted" which will expose more vulnerabilities; same story for any OS.

Log in or Sign up

For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks

Minimalist Registered Member

Rasheed187 Registered Member

Minimalist Registered Member

guest Guest

Log in or Sign up

For almost 11 years, hackers could easily bypass 3rd-party macOS signature checks

Minimalist Registered Member

Rasheed187 Registered Member

Minimalist Registered Member

guest Guest

Useful Searches