When is Apple-signed code not actually signed by Apple? When a hacker can manipulate the code-signing process to impersonate Apple and sign off on malicious code, bypassing common third-party security tools and tricking users into thinking illegitimate software is verified.
Such a bypass attack has been possible for years on macOS and older versions of OS X, thanks to a flaw in Apple code-signing APIs, explains Josh Pitts, staff engineer for research and exploitation at Okta. Pitts discovered the bypass flaw in third-party developers’ interpretation of the APIs, which let unsigned malicious code appear as though it was verified by Apple and remain on a Mac until it was patched.
Read more about the security bypass weakness in macOS APIs that lets attackers impersonate Apple to sign malicious code on DarkReading.