Apple's code signing vulnerability will allow malicious software to bypass the many Mac security products-vulnerability warning-the black bar safety net

Recently, from the security company Okta Rex research expert Josh Pitts in the macOS code signature mechanism found in a can take advantage of security vulnerabilities. This vulnerability lurks A A years, it allows an attacker inserts a malicious untrusted code masquerading as a trusted legal code, and bypass the many macOS security products detect, including Little Snitch, F-Secure xFence to, VirusTotal, Google, Santa and Facebook OSQuery it.
! [](/Article/UploadPic/2018-6/2018623183019484. png? www. myhack58. com)
In fact, the code signature of attack is not a novel attack techniques, according to Pitts today released a vulnerability disclosure information: this technique with the code before the attack differently, this vulnerability does not require administrator access rights, JITíing code and memory crashes will be able to bypass the code signature detection. The attacker only need to use a specially made Fat/Universal file will be able to make the macOS code signature function returns a valid value, since 2005 after the OS X Leopard released by Appleoperating systemwill be affected by the vulnerability.
The code signing mechanism is a fight against malicious software is an important weapon, it can help the user identify the signed App true identity, and verify that the target application is being illegally tampered with. The code signing mechanism based on cryptography method to determine the code’s authenticity, and prevent the attacker’s malicious code masquerading as legitimate code.
Pitts explained:“the network security, incident response, information forensics and individual users are available through the sign code to distinguish between legitimate code and malicious code, but the macOS system in the code signing mechanism can be tampered with. First, the attacker would need access to a signed legal Fat/Universal format file, the file in the first a Mach-O is through the Apple verification, followed by adding the malicious code must be based on the target macOS architectures i386 and x86_64 or PPC to compile. Finally, the Fat file header in the CPU-TYPE must be set to an invalid type, or set to follow the target host chip different CPU type.”
Okta Rex in the acceptance of SecurityWeek’s interview shows that this technology can be successfully bypassed by the Apple root certificate that signed the white list, incident response, and process protection. An attacker once successfully exploited the vulnerability, they will be able to access to the target host in the storage of personal user data, financial data and other sensitive information.
! [](/Article/UploadPic/2018-6/2018623183019268. png? www. myhack58. com)
In fact, Okta Rex as early as 2018 2 May 22, has been with the Apple made contact, and submit the corresponding vulnerability PoC samples, but according to Apple at the time of the response, they do not believe that this is a serious security issue. Of course, Okta Rex is certainly not think so. Okta Rex think Apple should be reminded that third-party product developers, so they can self-repair related issues. But until this year in April, Apple only notification to all affected vendors, including VirusTotal, Google, Facebook, Objective Development, F-Secure, Objective-See, Yelp and CarbonBlack is.
The affected products list including CVE）
VirusTotal(CVE-2018-10408)
Google—Santa,molcodesignchecker (CVE-2018-10405)
Facebook—OSQuery(CVE-2018-6336)
ObjectiveDevelopment—LittleSnitch (CVE-2018-10470)
F-Secure—xFenceand LittleFlocker (CVE-2018-10403)
Objective-See—WhatsYourSign,ProcInfo, KnockKnock, LuLu, TaskExplorer and he(CVE-2018-10404)
Yelp—OSXCollector(CVE-2018-10406)
CarbonBlack—Cb Response (CVE-2018-10407)
If you are using the product appear in the above list, we recommend that update as soon as you use the product, if no update is available, please replace the use of other protective products.