Connect with us

Hi, what are you looking for?



Code Signing Flaw Affects all Mac OS Versions Since 2005

Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.

Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.

Code signing attacks are not new. However, writes Pitts in public disclosure published today, “Unlike some of the prior work, this current vulnerability does not require admin access, does not require JITíing code, or memory corruption to bypass code signing checks. All that is required is a properly formatted Fat/Universal file and code signing checks return valid.” Any Mac operating system since the 2005 introduction of OS X Leopard is vulnerable to this flaw.

Code signing works by cryptographically confirming that new code is authentic and not malicious code authored by a bad actor impersonating the original developer. While almost anything, from binaries to PowerShell scripts, can be signed on Windows, on MacOS code signing focuses on the Mach-O binary and application bundles to ensure only trusted code is executed in memory.

“Security, incident response, and forensics processes and personnel use code signing to weed out trusted code from untrusted code,” explains Pitts. “By verifying signed code, detection and response personnel can speed up investigations by separating trusted code from untrusted code.”

Pitts discovered, however, that the code signing mechanism in MacOS can be manipulated. All it requires is access to a genuinely signed Fat/Universal file. Other conditions require that the first Mach-O in the file must be validly signed by Apple; the added malicious code must be adhoc signed and i386 compiled for an x86_64 bit target macOS; and the CPU_TYPE in the Fat header must be set to an invalid type or CPU Type that is not native to the host chipset.

Okta Rex told SecurityWeek that this technique bypasses the gambit of whitelisting, incident response, and process inspection solutions by appearing to be signed by Apple’s own root certificate.

The simple explanation is that the mechanism accepts the Apple signing, but skips this code and executes the malicious code. “By setting the CPU_Type to an invalid type or valid not native CPU type (example: PPC), the Mach-O loader will skip over the validly signed Mach-O binary and execute the malicious (non-Apple signed) code,” writes the researcher.

Advertisement. Scroll to continue reading.

In effect, the good code is skipped because CPU_TYPE is wrong; but the subsequent malicious code is run because the code signing API has a preference for the native CPU architecture (x86_64) for code signing checks and will default to checking the unsigned code if it is x86_64.

Okta Rex contacted Apple on February 22, 2018 with a report and proof of concept examples that were able to bypass third-party security tools. Apple responded in March by saying it did not see this issue as a security problem that it should directly address.

Okta Rex disagreed, and informed Apple that it would notify third-party developers itself so that they could address the issues at their end. By early April it had notified — through CERT/CC — all known affected third party developers. These include VirusTotal, Google, Facebook, Objective Development, F-Secure, Objective-See, Yelp, and Carbon Black.

The researcher also recommended to CERT/CC on April 18 “that a public blog post is the best method for reaching third parties that use code signing APIs in a private manner.”

The researcher is not aware of any prior abuse of this technique by bad actors. Nevertheless, by exploiting this vulnerability, a threat actor could trick third-party security tools into believing their code is Apple-approved, letting malicious code live on a macOS machine until it’s patched.

Related: Use of Fake Code Signing Certificates in Malware Surges 

Related: Okta Adds Threat Intel to Network Context to Eliminate Passwords 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.