Microsoft recently discovered a critical security vulnerability in macOS, which as per Microsoft 365 Defender Research team’s researcher Jonathan Bar-Or, could have been used to install a rootkit on targeted Macbooks.
The vulnerability was identified in System Integrity Protection (SIP) within the macOS ecosystem. Research suggests it could allow attackers to install a hardware interface to overwrite system files or install undetectable, persistent malware.
“While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether,” Bar-Or explained in a blog post.
The vulnerability also affected the packages signing mechanism and installation method of post-install scripts. As per Bar-Or, a threat actor can create a “specially crafted file” to hijack the installation process.
How Attackers Can Bypass SIP
SIP is also called rootless. It locks down the system from the root, using Apple’s sandbox to protect macOS, and contains many memory-based variables. These variables ideally shouldn’t be modified in non-recovery mode.
However, it is possible to turn off SIP after booting it in recovery mode, allowing a threat actor to