Researchers from Microsoft have revealed a vulnerability in Apple MacOS that allows bypassing System Integrity Protection (SIP) and installing malicious components using third-party kernel extensions.
SIP is a security feature of MacOS designed to protect system components from unauthorized changes. It restricts the privileges of a Root user in protected areas of the system, permitting modifications only from Apple-signed processes or programs with special entitlements.
The vulnerability, identified as CVE-2024-44243, was discovered in the Storage Driver Kit, responsible for managing disks. Exploiting this vulnerability requires local access, Root privileges, and user interaction, making the attack relatively complex. However, successful exploitation could allow bypassing SIP, installing “untrusted” malicious programs like rootkits, and accessing data without undergoing security checks.
On December 11, 2024, Apple released security updates for macOS Monterey 15.2 to address this issue.
SIP plays a crucial role in safeguarding MacOS against malicious software and cyberattacks. Microsoft warns that SIP bypass poses a significant threat to the entire system, underscoring the necessity for robust solutions to detect anomalous application behavior.
Microsoft also highlighted previous macOS vulnerabilities, including Shrootless (CVE-2021-30892), Migraine (CVE-2023-32369), Achilles (CVE-2022-42821), and Powerdir (CVE-2021-30970), all of which allow circumventing key security mechanisms.
The discovery of such vulnerabilities underscores the importance of continuous evaluation of even the most secure systems. In today’s cybersecurity landscape, proactive measures are as essential as reactive responses to predict and mitigate potential risks.