Microsoft uncovered a critical security vulnerability (tracked as CVE-2024-44243) affecting Apple's macOS (via Bleeping Computer). The threat allowed bad actors to circumvent the iPhone maker's System Integrity Protection (SIP), granting them access to the macOS kernel by loading third-party code.
For context, SIP is a security feature designed to block malware from accessing important data in the operating system by restricting the root user account's privileges in critical areas. As such, if the security feature is bypassed, the operating system becomes susceptible to malicious ploys by attackers, allowing them to make unauthorized changes to privileged and important files and folders.
Related: Microsoft blocks Secure Boot loophole, protecting Windows 11 from firmware attacks
It's worth noting that the security feature limits access to the operating system's critical components to Apple-authorized processes. As such, it's difficult to make important operating system security modifications that attackers could exploit to gain unauthorized access to privileged information. The security feature can only be disabled during the operating system's recovery and restart process, which typically requires physical access to the device.
However, the vulnerability highlighted allowed hackers to disable the security feature remotely, allowing them to install rootkits. With access to the operating system, the attackers could inject malware, bypassing more security features, including Transparency, Consent, and Control (TCC) security checks to gain unauthorized access to intricate user data.
"System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems. Bypassing SIP impacts the entire operating system's security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes."
While the security flaw has been patched, Microsoft reiterates the need for elaborate security tools that could help users easily identify when their operating systems have been compromised. Microsoft also recommends restricting third-party extensions from running in the kernel, potentially reducing the occurrence of such security flaws.
