Hackers could have, in the past 14 years, bypassed Apple's OS security on the Mac

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @wkleem: My understanding is that the list of affected parties is so small because this only impacts the use of certain APIs, but I've asked the security team to weigh in here since I'm bound to get some of the details wrong. Thanks for bringing this up! :)

  • wkleem
    wkleem
    Community Member

    No problem. As stated from the report, For example Little Snitch, VirusTotal, even Facebook apps are affected although I don’t use them.

    “Affected Vendors:

    VirusTotal – CVE-2018-10408
    Google – Santa, molcodesignchecker – CVE-2018-10405
    Facebook – OSQuery - CVE-2018-6336
    Objective Development – LittleSnitch – CVE-2018-10470
    F-Secure - xFence (also LittleFlocker) CVE-2018-10403
    Objective-See – WhatsYourSign, ProcInfo, KnockKnock, LuLu, TaskExplorer (and others). – CVE-2018-10404
    Yelp - OSXCollector – CVE-2018-10406
    Carbon Black – Cb Response – CVE-2018-10407”

    Could be more affected apps out there.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    It takes an odd combination of build settings and code-signing practices to be affected, so it is unlikely 1Password has been. I can't attest to each and every version we've released has been immune. It also appear that this bug in the code signing has only recently been discovered. (It really isn't uncommon for bugs to to go undiscovered for very long times, so I'm a bit annoyed at the headline.) There have been no indications that this has been exploited in the wild.

    While code signing is very important for security, we also have other checks in our updater for detecting tampering. None of those checks offer any complete guarantee, but they do make it far more likely that any attempt at delivering an inauthentic version of 1Password would be detected.

  • wkleem
    wkleem
    Community Member

    (It really isn't uncommon for bugs to to go undiscovered for very long times, so I'm a bit annoyed at the headline.) There have been no indications that this has been exploited in the wild.

    I will leave it up to Agilebits if they should decide to change the OP topic to something more appropriate?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Oh, I wasn't complaining about your title for this thread, @wkleem. It was mostly just a gripe about a lot of tech journalism.

  • wkleem
    wkleem
    Community Member

    @jpgoldberg, I know what you mean.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :crazy: :+1:

This discussion has been closed.