Apple Addresses Critical macOS Vulnerability Allowing Undeletable Malware
Apple Takes Swift Action to Address Critical macOS Vulnerability Exploiting System Integrity Protection (SIP)
In a recent development, Apple has promptly responded to a significant vulnerability discovered by Microsoft security researchers. This flaw, codenamed “Migraine” and tracked as CVE-2023-32369, enables attackers with root privileges to bypass System Integrity Protection (SIP) on macOS. By circumventing Transparency, Consent, and Control (TCC) security checks, attackers could install “undeletable” malware and gain unauthorized access to victims’ private data.
Apple has released security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, effectively patching the vulnerability. These updates were rolled out on May 18, just two weeks ago, demonstrating Apple’s commitment to addressing security concerns promptly.
System Integrity Protection, commonly known as SIP or “rootless,” plays a critical role in macOS security. It prevents potentially malicious software from altering essential system files and directories. SIP achieves this by imposing restrictions on the root user account, limiting its capabilities within protected areas of the operating system. The primary objective of SIP is to ensure that only Apple-signed processes or those with specific entitlements can modify macOS-protected components.
See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses
Notably, disabling SIP is not a straightforward task, as it requires a system restart and booting from macOS Recovery—an option only available when physical access to the compromised device is already obtained.
However, Microsoft’s researchers uncovered an avenue for attackers with root permissions to bypass SIP enforcement. They exploited the macOS Migration Assistant utility, leveraging the systemmigrationd daemon’s SIP-bypassing capabilities granted by the com.apple.rootless.install.heritable entitlement. This allowed attackers to automate the migration process using AppleScript, add a malicious payload to SIP’s exclusions list, and execute it without the need for a system restart or macOS Recovery boot.
The Microsoft Threat Intelligence team showcased that by focusing on system processes signed by Apple and possessing the com.apple.rootless.install.heritable entitlement, they could tamper with specific child processes. This manipulation enabled arbitrary code execution, bypassing SIP checks and creating a security context that evades detection.
Bypassing SIP introduces significant risks, particularly when exploited by malware creators. It empowers malicious code to have far-reaching consequences, including the creation of SIP-protected malware that remains resistant to standard deletion methods. Furthermore, it expands the attack surface, allowing attackers to tamper with system integrity through arbitrary kernel code execution. In some cases, attackers could even install rootkits to conceal malicious processes and files from security software.
Trending: Recon Tool: Sniffer
By bypassing SIP protection, threat actors can completely evade Transparency, Consent, and Control (TCC) policies. This grants them unrestricted access to the victim’s private data by replacing TCC databases. The implications of this bypass are severe and demand immediate attention.
This is not the first time Microsoft researchers have discovered vulnerabilities in macOS. In 2021, they reported another SIP bypass known as Shrootless, enabling attackers to execute arbitrary operations, escalate privileges to root, and potentially install rootkits on compromised Macs. More recently, Jonathan Bar Or, a principal security researcher at Microsoft, unearthed a security flaw named Achilles. This flaw allowed attackers to deploy malware through untrusted apps capable of bypassing Gatekeeper execution restrictions. Additionally, Bar Or discovered powerdir, another macOS security bug that permits attackers to bypass TCC technology, accessing users’ protected data.
The proactive steps taken by Apple to address this vulnerability demonstrate the ongoing battle to safeguard macOS from evolving threats. As the cybersecurity landscape continues to evolve, it is imperative for users to stay vigilant, keep their systems updated, and follow recommended security practices to protect their data and privacy.
Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?
If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com