hoakley February 22, 2018 Macs, Technology

A bug in signature-checking weakens most anti-malware tools

One of the basic checks which all malware protection should make is whether apps and other code have been correctly signed. Details of a bug revealed in Twitter today by Patrick Wardle, of Securita Security and Objective-See, demonstrate that most anti-malware tools can easily be spoofed into accepting completely fictitious certificates.

The problem lies buried in a macOS Global Function, SecStaticCodeCheckValidity(), which is used by almost all signature-checking tools and apps (including Apple’s command line tools) to validate the signature of a file. Apple’s description of this function reads:
This function obtains and verifies the signature on the code specified by the code object. It checks the validity of all sealed components, including resources (if any). It validates the code against a code requirement if one is specified. The call succeeds if all these conditions are satisfactory.

It is possible for a malware author to trick this function into returning a successful result, claiming that there is a valid certificate from Apple, although there is nothing of the kind.

macOS Gatekeeper doesn’t appear to be affected by this, so it should still return reliable results. However, the flawed function is used by most, perhaps all, other anti-malware tools. Malware which exploits this vulnerability could therefore pass this stage of their checks.

Patrick has found a workaround, and has already updated Objective-See’s invaluable signature-checking tool What’s My Sign?, which shouldn’t now succumb to this spoofing. If you rely on any other malware checking tools, such as an anti-virus product, you may want to install the updated What’s My Sign? (version 1.4.1) and perform manual checks until that product has been updated to address this problem.

Anti-virus and security product vendors should already be busy preparing updates to all their apps.

Postscript:

Patrick Wardle points out that this bug was first discovered and reported by Josh Pitts. He also reports that SecStaticCodeCheckValidity() does work if you tell it to perform strict verification, or to verify all the architectures in the file. However, its default flags (which should validate the ‘native’ architecture which will run when you run the code) fail in this case, resulting in this incorrect behaviour.

19Comments

Add yours

1

Dimitris on February 23, 2018 at 8:37 am

Today, checking with the WhatsYourSign.app I found some signing issues in the following applications: iTunes, GarageBand, Keynote, Numbers, Pages, and I’m not sure about XCode because it stuck.
What exactly is the unknown (status/error: -67054)?
Thanks in advance!

LikeLiked by 1 person
- 2
  
  hoakley on February 23, 2018 at 8:45 am
  
  Thank you.
  Are you using High Sierra? In Sierra 10.12.6, those apps (apart from Xcode) are all given as being correctly signed here. Xcode doesn’t seem to want to complete here either.
  I’ll pass this information on to Patrick Wardle.
  Howard.
  
  LikeLike
  - 3
    
    hoakley on February 23, 2018 at 8:56 am
    
    Patrick is taking a look at this now.
    He says that the problem with such strict checking is that some existing items may not pass as clearly, and need less strict checks! Xcode is so large that checking may take a very long time.
    Howard.
    
    LikeLike
  - 4
    
    Dimitris on February 23, 2018 at 8:57 am
    
    Thanks for your reply.
    No, I don’t use High Sierra because of it’s so many problems. I got back in Sierra 10.12.6.
    But what the unknown (status/error: -67054) really means? Where can I read about these codes?
    Thanks again for your time.
    
    LikeLike
    - 5
      
      hoakley on February 23, 2018 at 9:01 am
      
      That is an error code, which apparently means “A sealed resource is missing or invalid.”
      These error codes are conveniently defined in Apple’s labyrinthine developer documentation, in most cases. This makes it impossible for the great majority of users to understand or interpret them.
      Fortunately, there is a superb website which can check them for you, here.
      That’s where I looked that error up!
      Howard.
      
      LikeLike
6

Dimitris on February 23, 2018 at 9:11 am

So, that means there may be some problem with the applications or it is not something that has to worry me?
Thanks for the information about the codes.
Dimitris

LikeLike
- 7
  
  hoakley on February 23, 2018 at 9:15 am
  
  This is not something that you should worry about. This is a problem in macOS support for checking signatures, not in the signatures themselves. Presuming that you obtained these apps from the App Store, there is no reason to suspect that there is anything wrong with them.
  If you want to be completely certain, you could delete your copies and download them again from the App Store, but I wouldn’t waste your time and effort doing that, if I were you.
  I hope that reassures you,
  Howard.
  
  LikeLike
  - 8
    
    Dimitris on February 23, 2018 at 9:22 am
    
    OK, I understand. You clarified my concerns.
    Thanks a million!
    Keep going the good job.
    Have a nice day!
    Dimitris
    
    LikeLiked by 1 person
9

David Brooks on June 19, 2019 at 9:55 am

Hello 🙂

I’ve asked Patrick Wardle to run a check on the software available here:- http://www.clamxav.com but he’s said that, at the moment, he is too busy.

Do you, Howard, have any view on whether or not ClamXav might possibly be a scam?

Btw, I’ve really enjoyed exploring your website – especially the ‘Painting’ area.

David B.

LikeLiked by 1 person
- 10
  
  hoakley on June 19, 2019 at 11:49 am
  
  Thank you.
  No, I don’t think that ClamXAV is a scam at all.
  ClamAV is a well-known and widely-used open source anti-malware tool which is in active development and very well-supported. It’s cross-platform, and some years ago someone offered a friendly packaged version with a GUI front end for macOS, called ClamXAV, which I used from time to time.
  As far as I can tell from that website, ClamXAV, which is developed by a legitimate Scottish company with identified developers and staff, is a successor to that, which uses the ClamAV engine. How much it adds to that I don’t know: that’s a question which you might put to them.
  Evaluating the efficacy of any anti-malware product is not easy, and I don’t know of anywhere which has performed such an evaluation of this product. There are other established anti-malware products with known reputations, such as Malwarebytes, which are alternatives. I don’t know whether either is demonstrably any better, though.
  I hope that helps.
  Howard.
  
  LikeLike
  - 11
    
    David B. on June 19, 2019 at 1:28 pm
    
    Thank you so much for your prompt reply, Howard.
    
    I have followed Malwarebytes since its inception and am aware that there is a free version for the Apple Mac (I’ve used it too!). At the moment, I’m carrying out a ‘trial’ of Airo AV – the small company is a supporter of https://objective-see.com/about.html (so I hope it’s OK!)
    
    One thing that has bothered me is the very poor standing in the Facebook page here:-
    https://www.facebook.com/clamxav/
    Few people ‘like’ it. I’d have expected all purchasers of the product to have ‘liked’ the page.
    
    Should you ever have time to have a closer look at ClamXav, please do so.
    
    David B.
    
    LikeLike
  - 12
    
    David B. on June 20, 2019 at 9:37 pm
    
    Howard
    
    I sent you an email this morning. Please check your SPAM folder!
    
    I’ve also posted ‘Visitor posts’ here:- https://www.facebook.com/pg/airoav/posts/
    
    A scan with Airo AV came up clean.
    
    It’s a long story, but I’ve used ClamXav (and paid for it!) but wan’t entirely happy with answers I was given by the support staff. Long story short, ClamXav supposedly found malware on an official Broadband DVD issued to me by letter from AOL some years ago. I’ve scanned it with many other AVs and the disk is apparently ‘clean’. You will find detail of the alleged ClamXav findings in this thread on the Microsoft Answers forums (don’t ask!!)
    
    https://answers.microsoft.com/en-us/protect/forum/all/ramnit-trojan-on-imac-aol-disk-from-2008-false/e18cc0a4-5895-412e-9306-e565d2571849
    
    I’m fairly confident that if there HAD been malware on my DVD ClamXav could not have removed them from it! 😉
    
    With kind regards,
    
    David
    aka Davoud1945
    
    LikeLiked by 1 person
    - 13
      
      hoakley on June 20, 2019 at 9:49 pm
      
      Thanks: yes, I’ve yet to get to today’s email despite starting at 0530 this morning!
      False positives are an unfortunate problem with most anti-malware software, and particularly tricky for cross-platform software because of the great number and variety of signatures to check. That is no indication of whether a product is a ‘scam’. Indeed, finding something suggests that it is performing a scan and looking for signatures.
      Howard.
      
      LikeLike
14

David B. on June 21, 2019 at 9:37 am

I’ll respond to your email later today, Sir! 😉

Perhaps you’ll have more success reading this thread, started by a personal friend of mine:-

https://discussions.apple.com/thread/8501518?answerId=33866603022&page=1

Do you ever participate in the ASC or Developer forums?

I’d like you to consider the possibility of malware being loaded ON to an Apple computer when one installs ClamXav – or is that impossible? Indeed, who would even think to check?!!! HOW can one check? There must be a better method than intuition and a ‘hinky’ feeling!

Yours aye

David

LikeLike
- 15
  
  hoakley on June 21, 2019 at 11:32 am
  
  Thanks. Unfortunately, there’s a fair bit of weak or incorrect information there.
  No, I don’t participate in other forums generally – most of my Q&A work is done for magazines like MacFormat and Mac|Life, and of course here.
  Any software which loads malware is malware itself. I’d be extremely cautious about ever suggesting that a product did that without extremely convincing evidence. I stand by what I wrote about ClamXAV: it appears to be a perfectly genuine product, but I haven’t seen it evaluated for its efficacy.
  Releasing software which loads malware is a serious criminal offence in most jurisdictions, and a very short-term business model. It’s also relatively easy for professionals to detect.
  Howard.
  
  LikeLike
16

David B. on June 21, 2019 at 12:16 pm

Do you consider yourself to be a “professional” in this regard?

WHICH professionals might actually have taken a look?

LikeLiked by 1 person
- 17
  
  hoakley on June 21, 2019 at 12:42 pm
  
  No I’m not.
  The professionals work for companies who offer good Mac security products.
  Howard
  
  LikeLike
18

David B. on June 21, 2019 at 10:03 pm

Which AV product do YOU use on YOUR iMac, Howard?

LikeLiked by 1 person
- 19
  
  hoakley on June 21, 2019 at 10:19 pm
  
  I don’t use one regularly. Although I do download a lot of images, I download very few apps.
  When I feel that I might need one, I use a product such as (but not exclusively) Malwarebytes.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related