Important tools for keeping malicious software off Macs could have been tricked, cybersecurity firm Okta said in research made public Tuesday.
Okta researchers examined several whitelisting services that scan files for Mac computers and discovered that the tools could allow bad code to skate by and look like it had been cleared by Apple.
"The impact is that I can take malicious code and make it look like it's signed by Apple itself," said Josh Pitts, Okta's senior penetration testing engineer.
The tools, which are made by third parties and not Apple, can give peace of mind to savvy computer users and forensic cybersecurity experts by greenlighting files that are clearly legitimate. That's important, because even though malicious software designed tois less common than nastiness aimed at Windows computers, Mac malware is real.
The tools are provided by major tech companies such as Facebook, Google and Yelp, as well as cybersecurity companies including Chronicle, Carbon Black, F-Secure, Objective Development and Objective-See. In Okta's tests, the tools didn't catch malicious files with fudged credentials. After some investigating, Okta said it learned that the software developers responsible for the tools had misunderstood Apple's guidance for running a whitelisting service on Macs.
The errors show that even tech giants can get things wrong. Okta doesn't have examples of real malware and finding a home on Macs. And all of the companies involved except for Carbon Black and Objective Development told CNET they addressed the problem earlier this year after learning about it from Okta researchers. But the researchers say other tools that Okta hasn't tested might have similar flaws, so they're offering guidance to help software makers fix their tools.
You might not have heard of whitelisting, but the approach is an important piece of the puzzle when it comes to stopping hackers.
"These tools are generally more trusted than antivirus software," Pitts said.
In response to Okta's research, Apple said it's in the process of updating the documentation that explains to software developers how to build whitelisting tools for Macs. The tools must interface with Apple's code-signing API, which is software that dictates exactly how code written by third-party developers interacts with Mac computers.
Patrick Wardle, a security researcher who focuses on Macs, provides several tools with the ability to whitelist files through his brand Objective-See. Wardle said in a Twitter direct message that the original guidance from Apple was "rather confusing." After reviewing the research with Okta, he's updated his WhatsYourSign and Lulu whitelisting tools, and has more updates coming for his other offerings, he said.
Wardle said the problem is "not the end of the world, but something that should be fixed for sure!"
Google, which offers an open-source whitelisting tool called Santa (which knows if it's a good or bad file), said it released a fix for the problem in April. Yelp, the creator of the OSXCollector whitelisting tool, has disabled the tool's ability to whitelist files based on whether Apple has signed off on them, a spokeswoman said.
"Yelp's data and users were never at risk due to this vulnerability," she said, but added the company will make the flaw public to warn other users of OSXCollector.
Chronicle, the maker of VirusTotal, said the issue has been fixed in its service. F-Secure, which provides xFence, also said its tool has been updated to address the problem. "This is the sort of research and process that results in better security for all," the company said in a statement.
Facebook said in a statement that its OSQuery tool has been fixed as well, and the update is available for download statement, adding, "We're grateful to the researcher who brought this to our attention."
Objective Development developer Marco Masser said in a blog post Wednesday that his company had updated its Little Snitch tool. It also clarified that while Little Snitch might have incorrectly marked a file as being signed by Apple due to this flaw, it would not have let users connect to malicious files or software. Instead, it would have noticed that the fudged Apple signature didn't match the software.
"Little Snitch shows a connection alert that prominently notifies you about this mismatch," Masser said.
Carbon Black, which makes Cb Response, declined to comment for this story.
First published, June 12 at 6 a.m. PT.
Update, 9:07 a.m. and 9:41 a.m. PT: Adds responses from Facebook, Chronicle and F-Secure.
Update, June 13, 10:28 a.m. PT: Adds response from Objective Development.
iHate: CNET looks at how intolerance is taking over the internet.
Life, Disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it?