Microsoft experts have discovered a serious Migraine vulnerability (CVE-2023-32369) in the macOS operating system.
Now that Apple developers have fixed this bug, it has become known that it allows attackers with root privileges to bypass System Integrity Protection (SIP) protection, install “unremovable” malware on the device and gain access to the victim’s personal data, bypassing Transparency, Consent security checks and Control (TCC).Apple fixed the vulnerability with the release of macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 two weeks ago on May 18, 2023.
Let me remind you that we wrote that Microsoft Told about a Bug in MacOS that Allowed to Bypass Gatekeeper, and also that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina.
And also information security specialists wrote that LockBit Releases World’s First macOS Ransomware.
The System Integrity Protection (SIP) mechanism, also known as “rootless”, is a protective functionality in macOS and is kind of like a sandbox. The mechanism prevents potential malware from modifying certain folders and files using the root user and its ability to work with protected areas of the OS.
SIP adheres to the principle that only Apple-signed processes or processes with special rights, such as software updates and installers, are allowed to modify protected macOS components.
It is also important to note that it is impossible to disable SIP without rebooting the system and running macOS Recovery, and for this you need to have physical access to an already jailbroken device.
However, Microsoft researchers have found that root attackers can bypass SIP protection using the macOS Migration Assistant utility built into macOS using the systemmigrationd daemon with SIP bypass capabilities (thanks to com.apple.rootless.install.heritable rights).
The researchers demonstrated that rooted attackers can automate this process with AppleScript and launch a malicious payload by adding it to the SIP exclusion list (without rebooting the system and macOS Recovery).
It is noted that bypassing SIP is associated with significant risks, especially if malware creators use it. This can have far-reaching consequences, including the creation of “protected” SIP malware that will be impossible to remove with standard methods.
Also, bypassing SIP significantly expands the capabilities of attackers and allows attackers to violate the integrity of the system by arbitrary code execution at the kernel level, as well as create and install rootkits to hide malicious processes and files from security programs.
In addition, it allows completely bypassing Transparency, Consent, and Control (TCC), allowing hackers to spoof TCC databases and gain unlimited access to the victim’s personal data.