Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com)

← Back to Stories (view on slashdot.org)

Bugs Allowed Hackers To Make Malware Look Like Apple Software (vice.com)

Posted by msmash on Tuesday June 12, 2018 @02:09AM from the security-woes dept.

An anonymous reader shares a report: For years, hackers could hide malware alongside legitimate Apple code and sneak it past several popular third-party security products for Mac computers, according to new research. This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple's APIs. A researcher from security firm Okta found that several security products for Mac -- including Little Snitch, xFence, and Facebook's OSquery -- could be tricked into believing malware was Apple code, and let it past their defenses. "I can take malicious code and make it look like it's signed by Apple," Josh Pitts, the security researcher at Okta who discovered these bugs, told Motherboard. In a blog post published Tuesday, Pitts explained that the issue lies with how the third-party security tools implemented Apple's code-signing APIs when dealing with Mac's executable files known as Universal or Fat files.

22 of 72 comments (clear)

Min score:

Reason:

Sort:

The balances with security products. by jellomizer · 2018-06-12 02:20 · Score: 4, Interesting

We all hate virus scanners, and other security products, because they slow our systems way down, they often will slow our systems more then the actual malware would. However the designers need to find some sweet spot on speed of their tools vs effectiveness of these tools. So flaws like this is understandable, because actually validating the signature will take more time to process vs. the current number of malware that uses this trick.
Now that it is known, I expect security companies will now have to fix their code to check for this, and slow our systems down further. Part of the popularity of these closed ecosystems of iOS vs MacOS is the ability to only allow good actors to work on your platform, while blocking any unknown actors (good or bad) from causing harm, reducing the need for external security software which will slow the system down.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
1. Re:The balances with security products. by drinkypoo · 2018-06-12 02:45 · Score: 3, Insightful
  
  What I "hate" (that's a strong word) is that there's no Free OS that is based first and foremost around the concept of security. I for one would be happy to give up most of my system's performance for a significant improvement in security, especially if the system were also more reliable. I can have a second system for high-performance tasks.
  Most people who are not gamers have much more computing power than they really need now (at least in desktops and laptops) and spend most of their time web browsing. Their systems are mostly idle and they could afford to give away substantial performance in exchange for security.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:The balances with security products. by jellomizer · 2018-06-12 03:02 · Score: 2
  
  OpenBSD or am I walking into a Troll?
  However the big issue with OpenBSD is that it isn't designed well for general computing that we do on our PC's. Being everything that is potentially dangerous is closed and/or locked down. It means when ever we need to do something new, we need to consciously turn off a security feature. While great for hosting and servers where such rigor should be the norm. For your PC it can get annoying rather quickly.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
3. Re:The balances with security products. by drinkypoo · 2018-06-12 03:23 · Score: 2
  
  OpenBSD or am I walking into a Troll?
  However the big issue with OpenBSD is that it isn't designed well for general computing that we do on our PC's.
  OpenBSD wasn't designed for security first, it was developed from BSD. Security was an afterthought. Fixing holes in BSD is their focus, and while it's not a waste of time, it's not the same as designing an OS for security from day one.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:The balances with security products. by eddeye · 2018-06-12 05:05 · Score: 1
  
  So flaws like this is understandable, because actually validating the signature will take more time to process vs. the current number of malware that uses this trick.
  
  That's bullshit. You only need to validate each signature once when the app is downloaded / executed for the first time. How many times a day are you doing that? Vanishingly small. It's not a significant source of slowdown.
  Even if it was, your risk / reward tradeoff is all wrong. You're saving a few seconds a day of processing time, while risking that the occasional malware gets through? That's a terrible risk calculus. I bet you drive with no seatbelts either. Hey, you've never had an accident yet!
  Face it - these products fucked up. There's no excuse for not checking signatures when that's what you claim to do.
  
  --
  Democracy is two wolves and a sheep voting on lunch.
5. Re:The balances with security products. by MightyYar · 2018-06-12 05:18 · Score: 1
  
  no Free OS that is based first and foremost around the concept of security.
  This sounds nice, but in practice it would wind up pretty much the same as the other flavors of OS. The most secure computer is one that it off - do anything useful with it, and you start to make security compromises. The compromises add up to a balance of security and usefulness that exist in every modern OS, and that same dynamic would be true in a "secure OS" even if it started from the other extreme. As the other commenters mentioned, OpenBSD and Qubes exist. Yeah, they modified other OSes (BSD and Xen, respectively), but in the end they resemble what you are asking for.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
6. Re:The balances with security products. by drinkypoo · 2018-06-12 07:09 · Score: 1
  
  Do you not count Qubes?
  I'd prefer not to have to virtualize entire operating systems in order to run applications. How well does it work without GPU virtualization?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
7. Re:The balances with security products. by AHuxley · 2018-06-12 12:13 · Score: 1
  
  Pay $40 per year for that security product to work deep in the Apple OS to keep malware out.
  Malware becomes the approved, trusted and secure security products and creates crypto currency over a year.
  All the user can see is trusted and approved apps working in the background.
  
  --
  Domestic spying is now "Benign Information Gathering"
8. Re:The balances with security products. by drinkypoo · 2018-06-13 04:05 · Score: 1
  
  It depends on if your motherboard and CPU support IOMMU at appropriate levels. Oh, and it likely requires you to have 2 graphics cards available, also, so laptops, Macs and AIO-systems are SOL.
  I've got two graphics cards, but they are only 950s so I use them in SLI because otherwise they are slowwwww. (One was an RMA replacement for a 750 Ti, then I bought the other one.)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:The balances with security products. by Andtalath · 2018-06-13 04:10 · Score: 1
  
  Qubes?
That's funny... by The+Fat+Bastard · 2018-06-12 02:22 · Score: 1

I had to reinstall iTunes on my Windows 10 PC. I went to the Apple iTunes page and it sent me to... Microsoft App Store. That's right, kiddies. Apple iTunes is now a Windows App. Be afraid... very afraid.
1. Re:That's funny... by Anonymous Coward · 2018-06-12 02:30 · Score: 1
  
  I had to reinstall iTunes on my Windows 10 PC. I went to the Apple iTunes page and it sent me to... Microsoft App Store. That's right, kiddies. Apple iTunes is now a Windows App. Be afraid... very afraid.
  What you should be afraid of is the likelihood that eventually you will only be able to install into Windows from their store.
  Then your choice will be Microsoft's walled Garden, Apple's walled garden, or rolling your own via Linux.
  I can see Microsoft going that route.
2. Re:That's funny... by v1 · 2018-06-12 02:35 · Score: 1
  
  iTunes has been available on Windows for quite some time now. All those windows users that bought an iPhone or iPad and need to put stuff on it.
  It's a lot easier on the windows users to go to the MS store where the download and installation process is familiar.
  Of course iTunes's time as the "gateway to the iPhone" is on borrowed time. Apple is moving away from that to direct cloud access. Users can already do almost everything iTunes can do directly with Apple from their iDevice. By 2020 iTunes probably won't be able to do much of anything directly with your iPhone, regardless of what platform you're on.
  
  --
  I work for the Department of Redundancy Department.
3. Re:That's funny... by The+Fat+Bastard · 2018-06-12 02:41 · Score: 1
  
  iTunes has been available on Windows for quite some time now.
  Until recently as a downloadable installer from Apple.
  
  All those windows users that bought an iPhone or iPad and need to put stuff on it.
  I have never synced my iOS devices to a PC. I do watch iTunes movies on my PC screen.
  
  It's a lot easier on the windows users to go to the MS store where the download and installation process is familiar.
  As a Windows user since 3.11, this was my first time using Microsoft App Store.
  
  Of course iTunes's time as the "gateway to the iPhone" is on borrowed time. Apple is moving away from that to direct cloud access.
  That was two or three years ago.
4. Re:That's funny... by BronsCon · 2018-06-12 06:09 · Score: 1
  
  It's a lot easier on the windows users to go to the MS store where the download and installation process is familiar.
  Most Windows users have never touched the Windows Store, it's not really that familiar to most.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You mean . . . by Joey+Vegetables · 2018-06-12 02:55 · Score: 1

You mean there's a difference????

--

Nonaggression works!
As an XCode user I thought by oldgraybeard · 2018-06-12 03:35 · Score: 1

that to get an app in to the Apple Store the source/install had to be submitted to Apple for review. So either I am mistaken or Apple is not doing a good job of review. TBH I don't know, I develop In-House apps for clients. And have not tried to use the App Store as a distribution point.

Just my 2 cents ;)
1. Re:As an XCode user I thought by BronsCon · 2018-06-12 06:12 · Score: 1
  
  Be gentle, he's an XCode user.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
"Facebook's OSquery" by 93+Escort+Wagon · 2018-06-12 04:37 · Score: 1

It's possible this particular application is legit, but - why would anyone with any intelligence allow any app from Facebook to have that level of access to their system?
Or have I answered my own question?

--
#DeleteChrome
The hackers will regret this by houghi · 2018-06-12 04:58 · Score: 1

Now they have awoken the beast. The legal copyright team of Apple is self aware and ready for its pray.
I feel sorry for the hackers. Smitten like ants under a loop.

--
Don't fight for your country, if your country does not fight for you.
Comment removed by account_deleted · 2018-06-12 05:52 · Score: 1

Comment removed based on user account deletion
Not a flaw in MacOS? by RhettLivingston · 2018-06-12 07:50 · Score: 1

The FDA has denied many drug approvals or sent them back to the drawing board on how it is delivered if tests showed that the users could not be counted on to reliably administer them. Difficult to use placement of controls in cars have caused major losses to auto companies on multiple occasions. Usability is an important design feature in many areas of design.
Usability of a security API is a feature that can have bugs. I'm guessing that these tools with bugs were not created by stupid people and they all made the same mistake in implementing their use of this security API.
Why would the security API be outright absolved of fault in this case? Is there not a pattern of error that is likely the result of some design pattern in the API since it is recurring?