Apple macOS Flaw Allows Kernel-Level Compromise

‘Shrootless’ allows bypass of System Integrity Protection IT security measures to install a malicious rootkit that goes undetected and performs arbitrary device operations.

Apple has patched a vulnerability in macOS can allow attackers to bypass a key OS protection and install a malicious rootkit to perform arbitrary operations on a device, researchers from Microsoft have discovered.

The problem—dubbed “Shrootless”–is associated with a security technology called System Integrity Protection (SIP) found in macOS. Jonathan Bar Or from the Microsoft 365 Defender Research Team explained in a blog post that SIP restricts a user at the root level of the OS from performing operations that may compromise system integrity.

Researchers were assessing processes entitled to bypass SIP protections when they discovered the vulnerability, which is being tracked as CVE-2021-30892, Or wrote.

“We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed,” he explained in the post. “A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.”

Microsoft Security Vulnerability Research (MSVR)

Read More: