Microsoft discovers a major security flaw in macOS

A team of Microsoft security experts found and reported a new macOS security bug called Migraine to Apple. Apple has also just patched a vulnerability that lets attackers with root rights to circumvent Apple's System Integrity Protection (SIP). Attackers can use this exploit to install "undeletable" malware and access the victim's sensitive data by circumventing Transparency, Consent, and Control (TCC) security measures. According to Bleeping Computer, Apple patched the vulnerability in May 18 security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7.

What is System Integrity Protection (SIP) from Apple?

System Integrity Protection (SIP) is a 'rootless' macOS security measure. This protocol stops potentially harmful applications from modifying specific directories and files. The method restricts the root user account and its capabilities within the operating system's protected zones.

SIP operates on the idea that only processes signed by Apple or those with special entitlements (such as Apple software updates and installers) are permitted to modify macOS-protected components.

Users should also be aware that disabling SIP requires rebooting the system and booting from macOS Recovery (the built-in recovery mechanism). Furthermore, this necessitates physical access to a compromised device.

How attackers get through SIP security

Microsoft researchers observed that attackers with root access might circumvent SIP security enforcement by exploiting the macOS Migration Assistant tool. This is a built-in macOS software that leverages the system migration daemon to avoid SIP due to its com.apple.rootless.install.heritable entitlement.

The researchers demonstrated that attackers with root privileges can use AppleScript to automate the migration process and unleash a malicious payload after adding it to SIP's exclusions list. Attackers do not even need to restart the system or boot it from macOS Recovery to accomplish this.

"By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks," the Microsoft Threat Intelligence team explained.

How this problem may affect users of macOS

According to the research, arbitrary SIP bypasses can pose considerable hazards when used by malware developers. This issue can allow malicious code to have far-reaching consequences, such as the creation of SIP-protected malware that cannot be uninstalled using regular deletion procedures.

This issue also allows attackers to compromise system integrity by executing arbitrary kernel code. They may also install rootkits in order to conceal malicious processes and files from security software.