- Microsoft reveals in-depth analysis of a flaw it recently found in macOS
- The bug is potentially dangerous since it allows threat actors to bypass SIP
- SIP is a security feature designed to protect critical system files
Microsoft has released an in-depth technical analysis on CVE-2024-44243, a medium-severity macOS vulnerability which could allow attackers to deploy “undeletable” malware.
macOS devices come with System Integrity Protection (SIP), (AKA “rootless”) a security feature designed to protect critical system files and processes from being modified, even by users with root privileges. It was first introduced in macOS El Capitan, and is designed to restrict access to system directories and enforce code integrity.
SIP can be temporarily disabled for specific tasks, but doing so requires restarting the system in recovery mode and using Terminal commands.
Impacting entire OS security
The bug allows local attackers with root privilege to mount low-complexity attacks through which they can bypass SIP root restriction, even if they don’t have physical access to the target endpoint. As a result, they can install rootkits, malware that “cannot be deleted”, and work around Apple’s Transparency, Consent, and Control (TCC) security framework.
In its writeup, Microsoft described how destructive bypassing SIP can be: “Bypassing SIP impacts the entire operating system‘s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes,” Redmond said.
“The challenge of detecting such threats is compounded by the inherent limitations in kernel-level visibility on macOS, making it difficult for traditional security measures to spot and mitigate these sophisticated attacks.”
The flaw was first discovered in late 2024 by both Microsoft and a separate security researcher, Mickey Jin, both of whom responsibly disclosed it to Apple, which addressed it on December 11, 2024, through macOS Sequoia 15.2.
While there is no word of abuse in the wild, users are still advised to apply the patch as soon as possible.
Via BleepingComputer
