Apple has patched a critical vulnerability in macOS that allowed hackers to bypass the System Integrity Protection (SIP), a key security feature. This flaw could have enabled malware installation and privileged access to systems, increasing the potential for severe attacks.
The vulnerability, tracked as CVE-2024-44243, was uncovered by Microsoft’s security researchers, who reported the issue to Apple in December 2024. The flaw primarily impacts how System Integrity Protection (SIP) interacts with certain entitlements that manage protections and access to macOS applications. SIP is a crucial security feature designed to prevent malicious software from altering critical system files and processes.
How the Vulnerability Works
The flaw is associated with private entitlements that are used for system updates, debugging, memory tracing, and security extensions. These entitlements are typically undocumented by Apple, making it challenging for security teams to detect unusual activity tied to these special entitlements.
Microsoft’s researchers identified a way to exploit the flaw by using the com.apple.rootless.install and com.apple.rootless.install.heritable entitlements, which allow access to child processes, enabling multitasking operations in macOS. Specifically, the vulnerability allows attackers to bypass SIP by interacting with the storagekitd framework, which is responsible for managing storage on macOS. By exploiting child processes associated with storagekitd, attackers can override system binaries and execute malicious code.
An attacker with root access could drop malicious files into the /Library/Filesystems directory and use storagekitd to trigger custom binaries, effectively bypassing SIP’s protection mechanisms.
Potential Impact
The bypass of SIP poses significant risks to the macOS operating system. SIP is essential in safeguarding the macOS kernel from malware, and by circumventing it, attackers can install rootkits and gain privileged access. This vulnerability would likely be difficult to detect due to the limited visibility into kernel-level security, further complicating efforts to secure systems affected by this flaw.
Microsoft emphasizes the importance of proactive monitoring to detect anomalous behavior and prevent exploitation of such vulnerabilities. Using advanced detection mechanisms can provide organizations with better visibility into suspicious activities that may indicate an attempt to exploit SIP bypass flaws.
Apple’s Response
After Microsoft alerted Apple about the vulnerability, the tech giant issued a patch on December 11, 2024, addressing CVE-2024-44243 and preventing further exploitation. However, this isn’t the first time SIP vulnerabilities have been discovered. Earlier, a similar flaw, CVE-2022-26712, was found, also allowing SIP bypass and potentially exposing systems to compromise.
In March 2024, Apple had already patched critical zero-day vulnerabilities that gave hackers access to the kernel and bypassed kernel memory protections, highlighting the ongoing concerns around kernel security.
As the vulnerability landscape evolves, especially with kernel-level security concerns, it is crucial for organizations and users to stay vigilant and apply the latest updates promptly.
Related Topics:
Which Apple Pencil Is Better for Drawing
