Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

by

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software.

macos code signing bypass
The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps.

Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure.

Ars Technica broke down how the method was used and which third-party tools are affected:

The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in the bundle had to be signed by Apple. At least eight third-party tools would show other non-signed executable code included in the same bundle as being signed by Apple, too.

Affected third-party tools included VirusTotal, Google Santa, Facebook OSQuery, the Little Snitch Firewall, Yelp, OSXCollector, Carbon Black’s db Response, and several tools from Objective-See. Many companies and individuals rely on some of the tools to help implement whitelisting processes that permit only approved applications to be installed on a computer, while forbidding all others.

Developer Patrick Wardle spoke on the topic, explaining that the bypass was due to ambiguous documentation and comments provided by Apple regarding the use of publicly available programming interfaces that make digital signature checks function: "To be clear, this is not a vulnerability or bug in Apple's code... basically just unclear/confusing documentation that led to people using their API incorrectly." It's also not an issue exclusive to Apple and macOS third-party security tools, as Wardle pointed out: "If a hacker wants to bypass your tool and targets it directly, they will win."

For its part, Apple was said to have stated on March 20 that it did not see the bypass as a security issue that needed to be directly addressed. On March 29, the company updated its documentation to be more clear on the matter, stating that "third-party developers will need to do additional work to verify that all of the identities in a universal binary are the same if they want to present a meaningful result."

Tag: Security

Popular Stories

ios 26 1 slide to stop

iOS 26.1 Brings Back 2007 Feature in New Way

Friday October 31, 2025 1:40 pm PDT by
The upcoming iOS 26.1 update includes a small but helpful change for iPhones, and it could prevent you from running late to something important. Specifically, when an alarm goes off in the Clock app, there is a new "slide to stop" control on the screen for turning off the alarm. On previous iOS 26 versions, there is simply a large "stop" button, which could be accidentally tapped. The new ...
Read Full Article59 comments
M5 MacBook Pro

Waiting for New Macs? Apple Just Shared Bad News

Friday October 31, 2025 7:32 am PDT by
Apple has just given a strong indication that it will not be releasing any additional new Macs for the remainder of the year. Apple's CFO Kevan Parekh dropped the hint during the company's earnings call on Thursday:On Mac, keep in mind, we expect to face a very difficult compare against the M4 MacBook Pro, Mac mini, and iMac launches in the year-ago quarter.Parekh essentially gave a heads up ...
Read Full Article102 comments
Apple Foldable Thumb

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Friday October 31, 2025 8:52 am PDT by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Below, we've collated an updated set of key details that have been leaked about Apple's foldable iPhone so far. Ove...
Read Full Article83 comments
Coffee Burgundy and Purple iPhone 18 Pro Mock 1

Leaker Outlines Potential New Colors for iPhone 18 Pro

Friday October 31, 2025 8:28 am PDT by
Apple's iPhone 18 Pro models could be available in new rich and warm color option, according to a known leaker. The Weibo user known as "Instant Digital" today suggested that next-year's iPhone 18 Pro models will be available in at least one of the following color options: Coffee, purple, and burgundy. The iPhone XR, iPhone 11, iPhone 12, iPhone 14, and iPhone 14 Pro were all available in ...
Read Full Article134 comments
Apple Logo Spotlight

Report: Apple to Launch These New Products in 2026

Sunday November 2, 2025 5:34 am PST by
Apple is planning to launch at least 15 new products in 2026, according to Bloomberg's Mark Gurman. Gurman outlined what to expect from Apple in 2026 in the latest edition of his "Power On" newsletter. He said the company is heading "into one of its most pivotal years in recent memory," with the rollout of major new Apple Intelligence features, intense regulatory pressure on the App Store,...
Read Full Article29 comments
Apple Intelligence General Feature 2

New Version of Siri to 'Lean' on Google Gemini

Sunday November 2, 2025 6:06 am PST by
In his "Power On" newsletter, Bloomberg's Mark Gurman today provided an update on the status of Apple Intelligence and the plans for it in 2026. Apple is still planning to roll out its revamped version of Siri around March of next year. The release should be accompanied by the release of a new smart home display product with speaker-base and wall-mount options. A new Apple TV and HomePod...
Read Full Article125 comments
HomePod mini and Apple TV

New Apple TV and HomePod Mini Likely Launching Soon

Sunday November 2, 2025 5:49 am PST by
A new Apple TV and HomePod mini could launch as soon as this month, Bloomberg's Mark Gurman today suggested. In today's "Power On" newsletter, Gurman said that Apple retail stores are planning an overnight refresh on the evening of November 11, where changes will be made after closing, such as refreshing displays and placing new products for the following day. The timing of the overnight...
Read Full Article57 comments
iPhone 17 Pro Cosmic Orange

8 Reasons to Wait for Next Year's iPhone 18 Pro

Thursday October 30, 2025 4:42 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article120 comments
iOS 26

6 New Things Your iPhone Can Do in iOS 26.1

Wednesday October 29, 2025 4:22 am PDT by
Apple is about to drop iOS 26.1, the first major point release since iOS 26 was rolled out in September, and there are at least six notable changes and improvements to look forward to. We've rounded them up below. Apple has already provided developers and public beta testers with the release candidate version of iOS 26.1, which means Apple will likely roll out the update to all compatible...
Read Full Article62 comments

Top Rated Comments

OldSchoolMacGuy Avatar
OldSchoolMacGuy
97 months ago
These companies are prioritizing speed for security. We can assume they'll now implement proper checks, but it will come at the cost of speed.

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
Score: 12 Votes (Like | Disagree)
ThunderSkunk Avatar
ThunderSkunk
97 months ago
Wow, but somehow, I'm less concerned about the security threat than I am excited to have discovered the job title "Senior Penetration Testing Engineer". ...someone's up for a performance review & promotion!
Score: 6 Votes (Like | Disagree)
skin88 Avatar
skin88
97 months ago
Does Apple give a damn?? Obviously not. It's focused now on important kindergarten stuff like animojis and AR gimmicks.
Score: 5 Votes (Like | Disagree)
slimtastic Avatar
slimtastic
97 months ago
This is very bad. Thank goodness for white-hats who find this stuff out.
Score: 4 Votes (Like | Disagree)
konqerror Avatar
konqerror
97 months ago

I'm sure most won't bother to read this article and blame Apple, but the real blame here is with developers including Little Snitch, xFence, and Facebook's OSquery. They're the ones that failed to properly check these signatures.
It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
Score: 4 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
OldSchoolMacGuy
97 months ago
It's Apple's fault. When 8 separate developers use the API in the wrong way, there's an issue with the API and instructions.
No, it's really not. It's the developers responsibility to use the proper security procedures in their app. Is it the states fault that people fail to follow speed limit signs?
Score: 2 Votes (Like | Disagree)
Read All Comments