Microsoft Defender Research Team has revealed a macOS vulnerability—CVE-2024-44243—that allows attackers to bypass Apple’s robust System Integrity Protection (SIP). SIP, a cornerstone of macOS security, restricts potentially harmful operations that could jeopardize the operating system’s integrity. The bypass, achieved via third-party kernel extensions, poses severe risks, including the installation of rootkits, persistent malware, and the circumvention of critical security controls like Transparency, Consent, and Control (TCC).
As detailed by Microsoft, “Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.” The vulnerability highlights how macOS processes, when equipped with special entitlements, can inadvertently facilitate malicious exploits.
The bypass exploits macOS processes with special entitlements, such as com.apple.rootless.install.heritable, which are inherited by child processes. This entitlement, crucial for operations like system updates and security extensions, becomes a double-edged sword when improperly monitored. Attackers can exploit processes like the storagekitd daemon, which handles disk state-keeping, to invoke unverified kernel extensions.
Microsoft researchers noted that an attacker could “drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.” This bypass effectively undermines the entire security model of macOS, enabling the execution of arbitrary and potentially harmful kernel code.
The implications of SIP bypasses are critical. As Microsoft explains, “If SIP is bypassed, the entire operating system can no longer be considered reliable, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to evade detection.”
This flaw was identified independently by Microsoft and security researcher Mickey Jin, who reported it to Apple via the Coordinated Vulnerability Disclosure (CVD) program. Apple addressed the issue with a patch in their December 11, 2024, security updates.
For more technical details, users can refer to Microsoft’s official blog and the CVE-2024-44243 advisory.
Related Posts:
- Microsoft details the CVE-2023-32369 flaw in macOS that could bypass SIP root restrictions
- New macOS Exploit Revealed: PoC for CVE-2024-54498 Breaks Sandbox Security
