Thursday, February 22, 2018

Code Signing Validation Bug

Patrick Wardle (video):

🤬🤬 Apple’s SecStaticCodeCheckValidity() API validates the signature of a file. Allows AV/security tools to say stuff like: “I’ll trust this 🍎-signed binary!” But malware can trick it into saying they are signed by Apple.

The ‘good news’ is Apple’s utils/defenses such as Gatekeeper & vm.cs_enforcement=1 aren’t tricked....just basically every 3rd-party security tool 😭😭 Until Apple fixes this - don’t invoke said API with kSecCSDefaultFlags.

Howard Oakley:

Patrick has found a workaround, and has already updated Objective-See’s invaluable signature-checking tool What’s My Sign?, which shouldn’t now succumb to this spoofing. If you rely on any other malware checking tools, such as an anti-virus product, you may want to install the updated What’s My Sign? (version 1.4.1) and perform manual checks until that product has been updated to address this problem.

Jeff Johnson:

Is the issue “By default, only the native architecture is validated”?

Patrick Wardle:

I believe that’s where the bug resides as kSecCSUseAllArchitectures correctly returns a code signing issue. Problem is, what ends up running by default (i.e. what the runtime identifies/executes as native architecture) is unsigned malicious code. So there is a discrepancy :(

Comments RSS · Twitter

Leave a Comment