{"id":20670,"date":"2018-02-22T15:22:53","date_gmt":"2018-02-22T20:22:53","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=20670"},"modified":"2018-02-22T15:22:53","modified_gmt":"2018-02-22T20:22:53","slug":"code-signing-validation-bug","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/02\/22\/code-signing-validation-bug\/","title":{"rendered":"Code Signing Validation Bug"},"content":{"rendered":"<p><a href=\"https:\/\/twitter.com\/patrickwardle\/status\/966598700330971136\">Patrick Wardle<\/a> (<a href=\"https:\/\/vimeo.com\/256913875\">video<\/a>):<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/patrickwardle\/status\/966598700330971136\">\n<p>&#x1F92C;&#x1F92C; Apple&rsquo;s <code>SecStaticCodeCheckValidity()<\/code> API validates the signature of a file. Allows AV\/security tools to say stuff like: &ldquo;I&rsquo;ll trust this &#x1F34E;-signed binary!&rdquo; But malware can trick it into saying they are signed by Apple.<\/p>\n<p>The &lsquo;good news&rsquo; is Apple&rsquo;s utils\/defenses such as Gatekeeper &amp; <code> vm.cs_enforcement=1<\/code> aren&rsquo;t tricked....just basically every 3rd-party security tool &#x1F62D;&#x1F62D; Until Apple fixes this  - don&rsquo;t invoke said API with <code>kSecCSDefaultFlags<\/code>.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/eclecticlight.co\/2018\/02\/22\/a-bug-in-signature-checking-weakens-most-anti-malware-tools\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2018\/02\/22\/a-bug-in-signature-checking-weakens-most-anti-malware-tools\/\"><p>Patrick has found a workaround, and has already updated Objective-See&rsquo;s invaluable signature-checking tool <a href=\"https:\/\/objective-see.com\/products\/whatsyoursign.html\" target=\"_blank\">What&rsquo;s My Sign?<\/a>, which shouldn&rsquo;t now succumb to this spoofing. If you rely on any other malware checking tools, such as an anti-virus product, you may want to install the updated What&rsquo;s My Sign? (version 1.4.1) and perform manual checks until that product has been updated to address this problem.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/patrickwardle\/status\/966744189609295872\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/patrickwardle\/status\/966744189609295872\">\n<p>Is the issue &ldquo;<a href=\"https:\/\/opensource.apple.com\/source\/Security\/Security-58286.41.2\/OSX\/libsecurity_codesigning\/lib\/SecStaticCode.h.auto.html\">By default, only the native architecture is validated<\/a>&rdquo;?<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/patrickwardle\/status\/966744189609295872\">Patrick Wardle<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/patrickwardle\/status\/966744189609295872\"><p>I believe that&rsquo;s where the bug resides as <code>kSecCSUseAllArchitectures<\/code> correctly returns a code signing issue. Problem is, what ends up running by default (i.e. what the runtime identifies\/executes as native architecture) is unsigned malicious code. So there is a discrepancy :(<\/p><\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Patrick Wardle (video): &#x1F92C;&#x1F92C; Apple&rsquo;s SecStaticCodeCheckValidity() API validates the signature of a file. Allows AV\/security tools to say stuff like: &ldquo;I&rsquo;ll trust this &#x1F34E;-signed binary!&rdquo; But malware can trick it into saying they are signed by Apple. The &lsquo;good news&rsquo; is Apple&rsquo;s utils\/defenses such as Gatekeeper &amp; vm.cs_enforcement=1 aren&rsquo;t tricked....just basically every 3rd-party security tool [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[131,466,30,1529,504,48],"class_list":["post-20670","post","type-post","status-publish","format-standard","hentry","tag-bug","tag-codesigning","tag-mac","tag-macos-10-13","tag-malware","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=20670"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20670\/revisions"}],"predecessor-version":[{"id":20671,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/20670\/revisions\/20671"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=20670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=20670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=20670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}