- Microsoft reveals in-depth analysis of recently discovered flaw in macOS
- The bug is potentially dangerous because it allows malicious actors to bypass SIP.
- SIP is a security feature designed to protect critical system files
Microsoft has released an in-depth technical analysis on CVE-2024-44243, a medium-severity macOS vulnerability that could allow attackers to deploy “indelible” malware.
macOS devices feature System Integrity Protection (SIP), (“rootless”), a security feature designed to protect critical system files and processes from being modified, even by users with root privileges . It was first introduced in macOS El Capitan and is designed to restrict access to system directories and enforce code integrity.
SIP can be temporarily disabled for specific tasks, but this requires rebooting the system into recovery mode and using terminal commands.
Impacting the security of the entire operating system
The bug allows local attackers with root privileges to mount low-complexity attacks through which they can bypass SIP root restrictions, even if they do not have physical access to the target endpoint. As a result, they can install rootkits, malware that “cannot be removed,” and bypass Apple’s Transparency, Consent, and Controls (TCC) security framework.
In its article, Microsoft describes how destructive SIP bypass can be: “SIP bypass affects the security of the entire operating system and could lead to serious consequences, highlighting the need for comprehensive security solutions capable to detect abnormal behavior of specially authorized processes,” Redmond said.
“The challenge of detecting such threats is compounded by the inherent limitations of kernel-level visibility on macOS, making it difficult for traditional security measures to detect and mitigate these sophisticated attacks. »
The flaw was first discovered in late 2024 by Microsoft and another security researcher, Mickey Jin, who both responsibly disclosed it to Apple, which patched it on December 11, 2024 via macOS Sequoia 15.2.
Although there are no words of abuse in nature, users are still advised to apply the patch as soon as possible.
Via BeepComputer
