Guidance from Apple confused makers of widely used "whitelisting" tools, leading to errors.
Important tools for keeping malicious software off Macs could have been tricked, cybersecurity firm Okta said in research made public Tuesday.
Okta researchers examined several whitelisting services that scan files for Mac computers and discovered that the tools could allow bad code to skate by and look like it had been cleared by Apple.
"The impact is that I can take malicious code and make it look like it's signed by Apple itself," said Josh Pitts, Okta's senior penetration testing engineer.
The tools, which are made by third parties and not Apple, can give peace of mind to savvy computer users and forensic cybersecurity experts by greenlighting files that are clearly legitimate. That's important, because even though malicious software designed to attack Apple's computers is less common than nastiness aimed at Windows computers, Mac malware is real.
The tools are provided by major tech companies such as Facebook, Google and Yelp, as well as cybersecurity companies including Chronicle, Carbon Black, F-Secure, Objective Development and Objective-See. In Okta's tests, the tools didn't catch malicious files with fudged credentials. After some investigating, Okta said it learned that the software developers responsible for the tools had misunderstood Apple's guidance for running a whitelisting service on Macs.
The errors show that even tech giants can get things wrong. Okta doesn't have examples of real malware making use of the flaws and finding a home on Macs. And all of the companies involved except for Carbon Black and Objective Development told CNET they addressed the problem earlier this year after learning about it from Okta researchers. But the researchers say other tools that Okta hasn't tested might have similar flaws, so they're offering guidance to help software makers fix their tools.
You might not have heard of whitelisting, but the approach is an important piece of the puzzle when it comes to stopping hackers.
"These tools are generally more trusted than antivirus software," Pitts said.
Okta researchers examined several whitelisting services that scan files for Mac computers and discovered that the tools could allow bad code to skate by and look like it had been cleared by Apple.
"The impact is that I can take malicious code and make it look like it's signed by Apple itself," said Josh Pitts, Okta's senior penetration testing engineer.
The tools, which are made by third parties and not Apple, can give peace of mind to savvy computer users and forensic cybersecurity experts by greenlighting files that are clearly legitimate. That's important, because even though malicious software designed to attack Apple's computers is less common than nastiness aimed at Windows computers, Mac malware is real.
The tools are provided by major tech companies such as Facebook, Google and Yelp, as well as cybersecurity companies including Chronicle, Carbon Black, F-Secure, Objective Development and Objective-See. In Okta's tests, the tools didn't catch malicious files with fudged credentials. After some investigating, Okta said it learned that the software developers responsible for the tools had misunderstood Apple's guidance for running a whitelisting service on Macs.
The errors show that even tech giants can get things wrong. Okta doesn't have examples of real malware making use of the flaws and finding a home on Macs. And all of the companies involved except for Carbon Black and Objective Development told CNET they addressed the problem earlier this year after learning about it from Okta researchers. But the researchers say other tools that Okta hasn't tested might have similar flaws, so they're offering guidance to help software makers fix their tools.
You might not have heard of whitelisting, but the approach is an important piece of the puzzle when it comes to stopping hackers.
"These tools are generally more trusted than antivirus software," Pitts said.
No comments