Hackers could have, in the past 14 years, bypassed Apple's OS security on the Mac

wkleem

https://scmagazine.com/flawed-code-signing-process-could-have-let-attackers-pass-malware-off-as-apple-approved/article/772987/

https://okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/

Hopefully, Agilebits and 1Password wasn't affected.

AGAlumB

@wkleem: My understanding is that the list of affected parties is so small because this only impacts the use of certain APIs, but I've asked the security team to weigh in here since I'm bound to get some of the details wrong. Thanks for bringing this up! :)

wkleem

No problem. As stated from the report, For example Little Snitch, VirusTotal, even Facebook apps are affected although I don’t use them.

“Affected Vendors:

VirusTotal – CVE-2018-10408
Google – Santa, molcodesignchecker – CVE-2018-10405
Facebook – OSQuery - CVE-2018-6336
Objective Development – LittleSnitch – CVE-2018-10470
F-Secure - xFence (also LittleFlocker) CVE-2018-10403
Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404
Yelp - OSXCollector – CVE-2018-10406
Carbon Black – Cb Response – CVE-2018-10407”

Could be more affected apps out there.

jpgoldberg

It takes an odd combination of build settings and code-signing practices to be affected, so it is unlikely 1Password has been. I can't attest to each and every version we've released has been immune. It also appear that this bug in the code signing has only recently been discovered. (It really isn't uncommon for bugs to to go undiscovered for very long times, so I'm a bit annoyed at the headline.) There have been no indications that this has been exploited in the wild.

While code signing is very important for security, we also have other checks in our updater for detecting tampering. None of those checks offer any complete guarantee, but they do make it far more likely that any attempt at delivering an inauthentic version of 1Password would be detected.

wkleem

(It really isn't uncommon for bugs to to go undiscovered for very long times, so I'm a bit annoyed at the headline.) There have been no indications that this has been exploited in the wild.

I will leave it up to Agilebits if they should decide to change the OP topic to something more appropriate?

jpgoldberg

Oh, I wasn't complaining about your title for this thread, @wkleem. It was mostly just a gripe about a lot of tech journalism.

wkleem

@jpgoldberg, I know what you mean.

AGAlumB

:crazy: :+1: