Critical macOS Flaw Exposed: Microsoft Reveals How Hackers Could Install Rootkits

Critical macOS Flaw Exposed: Microsoft Reveals How Hackers Could Install Rootkits

Microsoft Uncovers Critical macOS Security Vulnerability

A recently patched security vulnerability in Apple macOS (CVE-2024-44243) could have allowed attackers with root access to bypass System Integrity Protection (SIP) and install malicious kernel drivers. The medium-severity bug, which received a CVSS score of 5.5, was addressed in macOS Sequoia 15.2.

The vulnerability, discovered by Microsoft’s Threat Intelligence team, exploited the Storage Kit daemon’s (storagekitd) entitlements to circumvent SIP protections. SIP, also known as rootless, is a crucial security framework that prevents unauthorized modification of protected system areas including /System, /usr, /bin, /sbin, /var, and pre-installed applications.

Technical Impact:
– Potential installation of rootkits
– Creation of persistent malware
– Bypass of Transparency, Consent and Control (TCC)
– Expanded attack surface

The exploit worked by leveraging two key SIP entitlements:
1. com.apple.rootless.install
2. com.apple.rootless.install.heritable

The vulnerability allowed attackers to:
– Deliver malicious file system bundles to /Library/Filesystems
– Override Disk Utility binaries
– Trigger unauthorized operations through storagekitd

This marks Microsoft’s third discovery of SIP bypasses in macOS, following CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine). Security experts emphasize that SIP breaches can compromise the entire operating system’s reliability and hamper security monitoring capabilities. Users are advised to implement system updates promptly to protect against such vulnerabilities.

Share This Article