Security News > 2023 > May > Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass
Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices.
"The most straight-forward implication of a SIP bypass is that an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.
The bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via an AppleScript that's designed to ultimately launch an arbitrary payload. This, in turn, stems from the fact that systemmigrationd - the daemon used to handle device transfer - comes with the com.
Heritable entitlement, allowing all its child processes, including bash and perl, to bypass SIP checks.
"Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits."
The findings come as Jamf Threat Labs disclosed details of a type confusion flaw in the macOS kernel that could be weaponized by a rogue app installed on the device to execute arbitrary code with kernel privileges.
News URL
https://thehackernews.com/2023/05/microsoft-details-critical-apple-macos.html
Related news
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- GitLab warns of critical pipeline execution vulnerability (source)
- Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- GitLab releases fix for critical SAML authentication bypass flaw (source)
- GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions (source)
- Patch this critical Safeguard for Privileged Passwords auth bypass flaw (CVE-2024-45488) (source)
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 (source)