- Microsoft reveals an in-depth analysis of a flaw it recently found in macOS
- The bug is potentially dangerous as it allows threat actors to bypass SIP.
- SIP is a security feature designed to protect critical system files
Microsoft has published an in-depth technical analysis of CVE-2024-44243, a medium severity macOS vulnerability that could allow attackers to deploy “indelible” malware.
macOS devices come with System Integrity Protection (SIP), (also known as “rootless”), a security feature designed to protect critical system files and processes from being modified, even by users with root privileges. It was first introduced in macOS El Capitan and is designed to restrict access to system directories and enforce code integrity.
SIP can be temporarily disabled for specific tasks, but doing so requires rebooting the system into recovery mode and using Terminal commands.
Impacting complete operating system security
The bug allows local attackers with root privileges to mount low-complexity attacks through which they can bypass the SIP root restriction, even if they do not have physical access to the target endpoint. As a result, they can install rootkits, “unremovable” malware, and bypass Apple’s Transparency, Consent, and Control (TCC) security framework.
In its article, Microsoft described how destructive SIP bypassing can be: “SIP bypassing impacts the security of the entire operating system and could have serious consequences, emphasizing the need for comprehensive security solutions that can detect anomalous behavior of specially authorized processes,” Redmond said.
“The challenge of detecting these types of threats is compounded by the inherent limitations of kernel-level visibility in macOS, making it difficult for traditional security measures to detect and mitigate these sophisticated attacks.”
The flaw was first discovered in late 2024 by both Microsoft and an independent security researcher, Mickey Jin, who responsibly disclosed it to Apple, which fixed it on December 11, 2024 via macOS Sequoia 15.2.
While there is no news of abuse, users are advised to apply the patch as soon as possible.
Through beepcomputer
