Apple Bug Allows Root Protections Bypass Without Physical Access – Source: www.darkreading.com

Source: Andrey Kryuchkov via Alamy Stock Photo

Cyber defenders are encouraged to ensure systems have been updated with the latest macOS patch, which includes a fix for a vulnerability that exposed the entire operating system to further compromise.

The bug, tracked under CVE-2024-44243, was patched in the Dec. 11 Apple security update, according to analysis from Microsoft Threat Intelligence that was released this week. The vulnerability could allow adversaries to bypass the macOS System Integrity Protection (SIP) restrictions, which limit operations that are detrimental to a device’s security. Without SIP controls in place, a threat actor could install rootkits, drop persistent malware, and more, according to the Microsoft report. More disturbing, threat actors don’t need physical access to pull off the cyberattack.

“This exposes the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls,” said Jason Soroko, senior fellow at Sectigo, in a statement.

Detecting Other Apple Bug Exploits

In addition to updating vulnerable macOS systems, experts suggest cyber defenders be on the lookout for suspicious behavior.

“Teams should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP,” said Mayuresh Dani, manager, security research, at Qualys, in a statement provided in reaction to the flaw. “The behavior of these processes in the environments should also be maintained.”

Soroko also advised teams to monitor for unusual disk management activity, in addition to anomalous privileged user behavior, and to implement endpoint detection tools and controls for unsigned kernel extensions. Dani agreed that third-party kernel extensions should be managed with care to prevent these sorts of attacks.

Third-party kernel extensions “should be enabled only when absolutely necessary and with strict monitoring guidelines,” Dani added.

This is just one of the recent cyberattacks that has found its way around Apple’s defenses.

The macOS infostealer malware “Banshee” was recently observed skirting Apple’s antivirus protections, courtesy of a string encryption algorithm stolen from Apple. It’s up to cyber teams to have adequate protections in place to lock down their own environments.

“Regular integrity checks, principle-of-least-privilege policies, and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat,” Soroko added.

This and other similar flaws are a demonstration of a lack of security between root users and the operating system, Lionel Litty, chief security architect at Menlo Security, explained in a statement. It’s also an example of the limitations of endpoint-based solutions, he added.

“While endpoint-based security solutions are attractive from a cost and usability perspective compared to off-device solutions such as [virtual desktop infrastructure], the constant stream of OS vulnerabilities that allow a local attacker to bypass OS integrity protection mechanisms shows that this is a risky gamble,” Litty said. “If your security controls involve installing an application on an unmanaged device and relying on this application protecting itself, you need to closely monitor this type of issue.”

About the Author