Apple Code-Signing Flaw: Developers Beware

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Okta’s Research and Exploitation team released details on June 12 about an issue with third-party code-signing validation using Apple’s APIs. The flaw, which dates back to 2005, makes it possible for attackers to make malicious code appear to be signed by Apple when, in fact, it is not. Multiple third-party applications are affected – particularly those which offer “whitelisting services” – because developers misinterpreted the code-signing API, leading to incomplete signature validation in their applications.

The flaw affects packages from third-party vendors, including Google (CVE-2018-10405), Facebook (CVE-2018-6336) and VirusTotal (CVE-2018-10408), among others. Affected packages are listed on Okta’s advisory page. However, this flaw likely affects many other vendors.

Tenable’s analysis

This flaw exists because of the difference in the way the system loader (Mach-O) validates signed code and the way it’s validated by third-party security applications using the code- signing API.

The flaw takes advantage of the checking of the Fat/Universal file format and its use of several Mach-O files that apply to specific native CPU architectures. According to Okta, for the vulnerability to work:

  • “The first Mach-O in the Fat/Universal file must be signed by Apple, can be i386, x86_64, or even PPC.
  • The malicious binary, or non-Apple supplied code, must be ad-hoc signed and i386 compiled for an x86_64 bit target macOS.
  • The CPU_TYPE in the Fat header of the Apple binary must be set to an invalid type or a CPU Type that is not native to the host chipset.”

This results in a partial signature check “…but without checking the CA [certificate authority] root of trust.”

Tenable’s solution

Apple does not consider this an issue it would directly fix in the APIs. Instead, Apple has placed the onus on third-party developers who use the code-signing APIs.

Tenable Research has developed the following plugin for the issue and we continue to monitor the situation for our customers:

Plugin ID



Google Santa < 0.9.25

Additional information

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?