Security News > 2021 > October > Shrootless: Microsoft found a way to evade Apple's SIP macOS filesystem protection
An Apple software installation daemon called system installd allowed its child processes to bypass SIP's normal restrictions on filesystem access.
Unleashed on world+dog with 2015's El Capitan release, MacOS SIP is intended to ensure that system-level files on a Mac can only be modified by Apple-signed installers or the fruity firm's own update mechanism - locking out even root users.
Copying new files into SIP-protected directories means having the ability to bypass SIP, implemented as two specific permissions.
Inheritable, applied to the system installd daemon, meaning its child processes could also completely bypass SIP. Microsoft found that Apple-signed installer packages are executed by system installd - and the daemon runs any post-installation scripts in the package with zsh.
SIP has been a feature of MacOS going back to 2015 - and, thanks to the powerful privileges it exposes, has been a feature of security research.
Back in 2018 an irritated chap discovered that SIP prevented him from fully deleting an Android emulator, while further back in time Apple was forced to patch SIP after a crafty person published a sub-140-character proof-of-concept that overwrote an OS X configuration file, in defiance of SIP. Just for good measure, in 2019 Google had to halt a routine Chrome update after irate users found that on systems without SIP the update would delete a crucial symbolic link needed by MacOS. No symlink, no boot.
News URL
Related news
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- Microsoft investigates OneDrive issue causing macOS app freezes (source)
- Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) (source)