Security News > 2023 > May > Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices.

"The most straight-forward implication of a SIP bypass is that an attacker can create files that are protected by SIP and therefore undeletable by ordinary means," Microsoft researchers Jonathan Bar Or, Michael Pearse, and Anurag Bohra said.

The bypass is made possible by leveraging a built-in macOS tool called Migration Assistant to activate the migration process via an AppleScript that's designed to ultimately launch an arbitrary payload. This, in turn, stems from the fact that systemmigrationd - the daemon used to handle device transfer - comes with the com.

Heritable entitlement, allowing all its child processes, including bash and perl, to bypass SIP checks.

"Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits."

The findings come as Jamf Threat Labs disclosed details of a type confusion flaw in the macOS kernel that could be weaponized by a rogue app installed on the device to execute arbitrary code with kernel privileges.

News URL

https://thehackernews.com/2023/05/microsoft-details-critical-apple-macos.html