Fat Binaries Could Hold Key to New macOS Vulnerability

While macOS has a reputation for functioning as a secure Unix environment, it seems that third-party developers could theoretically use Apple’s code signing API to trick the operating system’s security services. These tools may then incorrectly believe that embedded malicious code was signed by Apple and is therefore safe to run regardless of what it does.

Code signing is an excellent way to weed out untrusted code so that the only processes running on a system are those that are safe to execute. Both macOS and iOS use signatures to certify Mach-O binaries as well as application bundles, but it seems that experts earlier in the week found a way to undermine this system.

According to infosec researchers, an overwhelming majority of security products use a faulty method of verifying cryptographic signatures, which make them view potentially unsigned code as signed by Apple.

It seems that Apple’s own tools, however, have implemented the APIs properly. The method to exploit the vulnerability is therefore a bit odd and relies at least in part on how fat binaries work.

For instance, one security researcher combined a legitimate program signed by Apple and mixed it with a binary that was i386 compiled but for x86_64 series Macintosh computers.

An attacker would therefore have to take a legitimate binary from a clean macOS installation and then add something to it. The CPU type line in the new binary then has to be set to something strange and invalid in order to make it look like it isn’t native to the host chipset since this will instruct the kernel to skip over the legitimate code and start executing arbitrary processes that are added later on down the line.

Apple’s own engineers, however, don’t view the vulnerability as much of a threat as of the time of this writing. It would require a social engineering or phishing attack to get users to permit installation of an exploit. Nevertheless, a number of third-party developers have either issued patches or plan to issue them.

Users who are using any affected security tools are urged to update as soon as patches become available in order to prevent future problems, though no known use of this exploit has yet arisen.

John Rendace

John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.