
Mechanism many macOS security tools used to check signatures could be bypassed - el_duderino
https://arstechnica.com/information-technology/2018/06/simple-technique-bypassed-macos-signature-checks-by-third-party-tools/
======
terrik
> “To be clear, this is not a vulnerability or bug in Apple’s code...
> basically just unclear/confusing documentation that led to people using
> their API incorrectly,” Wardle told Ars. “Apple updated [its] documents to
> be more clear, and third-party developers just have to invoke the API with a
> more comprehensive flag (that was always available).”

~~~
kerng
A core security principle is Secure by Default - arguable that's something
Apple can improve here.

~~~
jonny_eh
I came here to say just that. If you have to opt-in to doing the right thing,
then the API is NOT secure.

~~~
augbog
They might have done it because existing people weren't doing it and it would
have introduced a breaking change potentially.

Not making an excuse for them though. They should have done that.

~~~
saghm
Preventing users from doing something insecure sounds like a perfect reason to
make a breaking change.

------
spockz
If the application code is responsible for checking the signatures, what stops
the attacker to just ship an older, vulnerable application together with his
bad binary? I would dare to say that macOS should do the validation before
executing any binary.

~~~
shawnz
The bug isn't in mac OS's signature validation though, which works fine. The
bug lies in the additional validation performed by certain third-party
security products. It has nothing to do with any of Apple's code whatsoever.
Although as another commenter has pointed out, Apple could maybe have designed
the API better to avoid it being used wrongly.

~~~
spockz
Ah. I misinterpreted this as bugs in applications scanning their own bundle.
But it is about security tools not properly verifying other binaries. Got it.

------
olliej
Wow, talk about bogus headline. Actual bug: "3rd party security products don't
validate signatures correctly"

------
shawnz
Headline is very misleading. The article is just describing a bug which
happened to be present in several different 3rd party security apps, not
necessarily every 3rd party app. The article also notes that no tool built
into mac OS ever had the issue.

