Apple patches Microsoft-reported MacOS flaw that lets attackers install “undeletable” malware
Apple recently addressed a MacOS security flaw — discovered and reported by Microsoft — that lets attackers with root privileges install “undeletable” malware and access private data.
Tracked as CVE-2023-32369, attackers can leverage the vulnerability to bypass System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) security checks.
Microsoft dubbed the vulnerability “Migraine”.
SIP is a security feature in MacOS that blocks malicious software from modifying specific files and folders. It does this by restricting the root user account and its capabilities within certain areas of the OS.
Essentially, it only authorizes Apple-signed processes or those with special entitlements to alter these protected areas of MacOS.
However, Microsoft researchers Jonathan Bar Or, Anurag Bohra, and Michael Pearse determined that attackers with root privileges can bypass SIP by exploiting MacOS’s Migration Assistant utility.
They demonstrated how attackers could exploit the vulnerability to automate the migration process and launch a harmful payload once they add it to SIP’s list of exclusions.
“By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks,” Microsoft said.
Microsoft’s threat intelligence team warned that SIP bypasses carry significant risks and can have far-reaching effects when exploited by malicious actors.
The researchers said it could enable the creation of “undeletable” malware, greatly expand the attack surface, and allow attackers to meddle with system integrity.
Through bypassing SIP, attackers also completely bypass MacOS’ TCC security checks. They can then replace TCC databases and access the owner’s private data.
Loading ...