Security News > 2021 > October > Microsoft: Shrootless bug lets hackers install macOS rootkits

Attackers could use a new macOS vulnerability discovered by Microsoft to bypass System Integrity Protection and perform arbitrary operations, elevate privileges to root, and install rootkits on vulnerable devices.

The Microsoft 365 Defender Research Team reported the vulnerability dubbed Shrootless to Apple by via the Microsoft Security Vulnerability Research.

SIP is a macOS security technology that blocks potentially malicious software from modifying protected folders and files by restricting the root user account and limiting the actions it can perform on protected parts of the OS. By design, SIP only allows processes signed by Apple or those with special entitlements to modify these protected parts of macOS. The Shrootless security issue was discovered by Microsoft's researchers after noticing that the system installd daemon had the com.

"After bypassing SIP's restrictions, the attacker could then install a malicious kernel driver, overwrite system files, or install persistent, undetectable malware, among others."

Apple addressed the inherited permissions issue behind the Shrootless bug was with additional restrictions.

Last week, Microsoft also reported finding new variants of macOS WizardUpdate malware, updated to use new evasion and persistence tactics.

News URL

https://www.bleepingcomputer.com/news/security/microsoft-shrootless-bug-lets-hackers-install-macos-rootkits/