2 min Devops

Microsoft researchers find critical macOS SIP vulnerability

Microsoft researchers find critical macOS SIP vulnerability

Microsoft researchers discovered a critical System Integrity Protection (SIP) vulnerability in macOS late last year. This vulnerability allows cybercriminals to bypass the security measures of macOS systems.

Late last year, security experts at Microsoft discovered a critical vulnerability, CVE-2024-44243, that allows the circumvention of Apple’s SIP security features in macOS. This will enable cybercriminals, among other things, to install malicious kernel drivers via loading third-party kernel extensions.

SIP, also called “rootless,” is a security feature of macOS that prevents specific actions by malicious software to protect system integrity. For example, it prevents modifying specific folders and files by restricting root user account permissions in protected areas.

In this way, hackers can successfully install rootkits, create persistent, permanently present malware, bypass Transparency, Consent and Control (TCC) functionality and further increase the attack surface.

Vulnerability in Storage Kit.

Apple’s SIP only allows processes signed by the tech giant or processes with special permission to modify macOS-protected components. Consider Apple software updates.

To disable this feature, a macOS system must normally be rebooted and booted from macOS Recovery. This requires physical access to the system.

The vulnerability now found is in the Storage Kit daemon feature within macOS. This feature handles so-called disk state-keeping. This allows cybercriminals to bypass SIP root restrictions without physical access to the attacked system.

Microsoft notified Apple of the critical vulnerability. New security updates for macOS Sequoia 15.2 have since fixed it.

Other Microsoft discoveries

This is not the first time Microsoft has discovered SIP vulnerabilities in Apple’s competitor’s macOS. For example, SIP vulnerability CVE-2021-30892 was discovered in 2021, and more recently, CVE-2023-32369.

Another critical macOS vulnerability discovered includes CVE-2022-42821 that can download malware via unknown apps that bypass so-called Gatekeeper execution restrictions.

The macOS vulnerability CVE-2021-30970 lets hackers bypass TCC technology to access macOS end users’ protected data.

Also read: MacOS Gatekeeper security to bypass by vulnerability