macOS Big Sur
Microsoft Discovers macOS Bug Allowing Hackers to Bypass SIP Root Restrictions

Microsoft’s security researchers have uncovered a critical vulnerability in macOS. It enables hackers with root privileges to bypass System Integrity Protection (SIP). By exploiting this flaw, attackers can install “undeletable” malware and gain unauthoriz access to a victim’s private data. All while evading Transparency, Consent, and Control (TCC) security checks. The vulnerability, codenamed “Migraine” and officially tracked as CVE-2023-32369, was promptly reported to Apple by the Microsoft team.

Apple has released security updates to address this vulnerability in the macOS operating system. Users can protect their systems by installing the latest updates, which include macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7. These updates, released on May 18, aim to patch the vulnerability and mitigate the risks associated with SIP exploitation.

Understanding System Integrity Protection (SIP)

System Integrity Protection (SIP), or “rootless,” is a crucial security mechanism in macOS. It prevents potentially malicious software from modifying specific files and folders. It is by imposing restrictions on the root user account within protected areas of the operating system. SIP operates under the principle that only process signed by Apple or those with special entitlements. This includes Apple software updates and installers, should be authorized to modify macOS-protected components.

The Vulnerability and SIP Bypass

It is worth noting that disabling SIP is not possible without restarting the system and booting off macOS Recovery, which requires physical access to a compromised device. However, the Microsoft research team discovered that attackers with root permissions could bypass SIP security enforcement by exploiting the macOS Migration Assistant utility. This built-in macOS app utilizes the system migration daemon, which possesses SIP-bypassing capabilities through its entitlement.

The researchers demonstrated that attackers with root permissions could automate the migration process using AppleScript. By adding the malicious payload to SIP’s exclusions list, they could execute arbitrary code without restarting the system. And also boot from macOS Recovery. Exploiting processes signed by Apple with the entitlement, the researchers identified two child processes that could be tampered with, enabling bypassing SIP checks.

Implications and Risks of Vulnerability

The implications of arbitrary SIP bypasses are significant, particularly when leveraged by malware creators. It empowers malicious code to have widespread effects. It includes creating SIP-protected malware that cannot be removed through standard deletion methods. Additionally, bypassing SIP protection expands the attack surface, enabling attackers to tamper with system integrity through arbitrary kernel code execution. This could potentially facilitate the installation of rootkits to conceal malicious processes and files from security software.

Bypassing SIP Protection Grants

Furthermore, bypassing SIP protection grants threat actors complete access to the victim’s private data by circumventing Transparency, Consent, and Control (TCC) policies. This allows attackers to replace TCC databases and gain unrestricted access to sensitive information. This discovery is not the very first of its kind. Microsoft researchers reported another SIP bypass named Shrootless in 2021. Shrootless permitted attackers to perform arbitrary operations on compromised Macs. It escalate privileges to root, and potentially install rootkits on vulnerable devices.

In a more recent finding, Microsoft principal security researcher Jonathan Bar Or identified a security flaw known as Achilles. This vulnerability enables attackers to deploy malware through untrusted apps capable of evading Gatekeeper execution restrictions. Another macOS security bug is powerdir. It allows attackers to bypass TCC technology and access users’ protected data.

Apple’s Swift Response

Apple’s swift response to this latest vulnerability underscores its commitment to addressing security issues promptly. Users should update their macOS systems to the latest security updates, including macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7. These updates contain patches that mitigate the risks associated with the SIP bypass vulnerability.

Vulnerability Recap

The discovery of the macOS bug by Microsoft’s security researchers highlights the ongoing efforts to identify and address vulnerabilities in operating systems. The vulnerability allowed attackers with root privileges to bypass System Integrity Protection (SIP) and install “undeletable” malware, bypassing Transparency, Consent, and Control (TCC) security checks. Apple responded promptly by releasing security updates to patch the vulnerability and protect users’ systems.