Microsoft Discovers Critical macOS Vulnerability Allowing SIP Bypass

Microsoft's Threat Intelligence team recently uncovered a significant vulnerability in macOS, exposing a flaw in the System Integrity Protection (SIP) mechanism.

The vulnerability, dubbed "Migraine," enables attackers with root access to bypass SIP and perform arbitrary operations on macOS devices.

This discovery raises concerns about system integrity, the installation of undeletable malware, and the potential compromise of private user data. Microsoft promptly reported the issue to Apple, resulting in the release of security updates to address the vulnerability.

Understanding System Integrity Protection (SIP)

System Integrity Protection, also known as "rootless," is a fundamental macOS security feature introduced by Apple in macOS Yosemite. SIP aims to safeguard the operating system's core components by preventing unauthorized modification of critical files and directories. It restricts the capabilities of the root user account and limits the scope of potential system compromises.

The Migraine vulnerability identified by Microsoft's researchers exploits a specific functionality within macOS known as the Migration Assistant utility. This utility employs the systemmigrationd daemon, which possesses the com.apple.rootless.install.heritable entitlement. By abusing this entitlement, attackers with root privileges can bypass SIP's security checks.

The attack vector involves automating the migration process using AppleScript and adding a malicious payload to SIP's exclusions list. Remarkably, this can be achieved without restarting the system or booting from macOS Recovery, providing a significant advantage to attackers.

Zane Bond, Head of Product at Keeper Security, discussed the vulnerability with SecureWorld News:

"What makes this flaw both notable and interesting is that it uses Apple's own protection mechanisms to prevent victims from easily cleaning it up. Every operating system has tried to implement some form of built-in sandbox, anti-virus or malware protection system such as Apple’s System Integrity Protection (SIP).

Occasionally, even those built-in protections are breached. Similarly, Windows Data Execution Prevention (DEP) is another built-in technology that helps protect users from executable code launching from places it's not supposed to, however, neither SIP or DEP are foolproof."

Implications and risks of Migraine vulnerability

The Migraine vulnerability poses several serious risks to macOS devices and their users. According to Microsoft, there are four "considerable consequences" to this:

1. Create undeletable malware: Attackers can leverage the SIP bypass to create and install files protected by SIP, rendering them undeletable by ordinary means. This complicates the mitigation efforts of security solutions like Microsoft Defender for Endpoint, which rely on the ability to quarantine and remove malware effectively.

2. Expand the attack surface for userland and kernel attacker techniques: Bypassing SIP widens the attack surface for both userland and kernel-based attack techniques. Attackers can potentially execute arbitrary code in the kernel, leading to the installation of rootkits that hide malicious processes and files from security software. As Apple gradually restricts third-party kernel extensions, security solutions face challenges in monitoring and detecting malicious activities in the kernel.

3. Tamper with the integrity of the system, effectively enabling rootkits: Once an attacker gains arbitrary code execution within the kernel, they can tamper with the system's integrity. This includes hiding processes and files from monitoring tools and bypassing tamper protection measures. Such activities undermine the ability of security solutions, like Microsoft Defender for Endpoint, to protect against threats effectively.

4. Full Transparency, Consent, and Control (TCC) bypass: The SIP bypass in Migraine allows attackers to completely bypass TCC policies by replacing the associated databases. By gaining unrestricted access to TCC policies, threat actors can grant arbitrary applications access to private data and peripherals, compromising user privacy and data security.

Microsoft's responsible disclosure of the Migraine vulnerability to Apple highlights the importance of collaboration and research-driven protection in securing platforms and devices. Apple has promptly addressed the issue by releasing security updates for affected macOS versions, including Ventura 13.4, Monterey 12.6.6, and Big Sur 11.7.7.

Organizations and users are urged to ensure their macOS devices are up to date with the latest security patches. Implementing comprehensive security solutions, such as Microsoft Defender for Endpoint, can help detect and mitigate potential threats associated with SIP bypasses.

Follow SecureWorld News for more stories related to cybersecurity.