Researchers at Microsoft have uncovered a vulnerability in Apple macOS that enables the bypassing of System Integrity Protection (SIP) to install malicious components via third-party kernel extensions.
SIP is a critical macOS security feature designed to safeguard system components from unauthorized modifications. It restricts root user privileges in protected areas of the system, permitting alterations only by Apple-signed processes or programs with specific entitlements.
The vulnerability, identified as CVE-2024-44243, was discovered in the Storage Kit daemon, which manages disk states. Exploiting this flaw requires local access, root privileges, and user interaction, making the attack relatively complex. However, a successful exploitation circumvents SIP, allowing the installation of “undeletable” malicious programs such as rootkits and granting access to sensitive data while bypassing security checks.
On December 11, 2024, Apple released a security update for macOS Sequoia 15.2 to address this issue.
SIP is pivotal in protecting macOS against malware and cyberattacks. According to Microsoft, bypassing SIP compromises the entire system, underscoring the need for robust solutions to detect anomalous application behavior.
Microsoft also highlighted previous macOS vulnerabilities, including Shrootless (CVE-2021-30892), Migraine (CVE-2023-32369), Achilles (CVE-2022-42821), and Powerdir (CVE-2021-30970), which similarly enabled the circumvention of key security mechanisms.
The identification of such vulnerabilities underscores the necessity of continuous scrutiny, even for highly secure systems. Modern cybersecurity demands not only reactive measures but also a proactive approach to anticipate threats and mitigate risks effectively.