Security News > 2021 > November > Apple macOS Flaw Allows Kernel-Level Compromise

The problem-dubbed "Shrootless"-is associated with a security technology called System Integrity Protection found in macOS. Jonathan Bar Or from the Microsoft 365 Defender Research Team explained in a blog post that SIP restricts a user at the root level of the OS from performing operations that may compromise system integrity.

"A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP's restrictions, the attacker could then install a malicious kernel driver, overwrite system files, or install persistent, undetectable malware, among others."

Microsoft's interest in a MacOS flaw demonstrates researchers' interest in security for enterprise networks that use hybrid environments, which increase the attack surface for threat actors to compromise myriad devices regardless of OS, Or noted.

"Therefore, the only legitimate way to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in csrutil tool, which can also display the SIP status."

SIP has a number of protections that it uses to secure the macOS kernel and other root processes.

They could load untrusted kernel extensions could compromise the kernel and allow the said extensions to perform operations without any checks, or bypass filesystem checks that allow a kernel extension to enforce SIP to itself completely.

News URL

https://threatpost.com/apple-macos-flaw-kernel-compromise/175927/