Microsoft Exposes macOS SIP Flaw Enabling Persistent Malware

Apple has patched macOS Sequoia 15.2 for vulnerabilities discovered by Microsoft that exposed users to malware risks and privacy breaches via SIP and TCC exploits.

Apple recently resolved two significant vulnerabilities in macOS that exposed users to potential malware persistence and unauthorized access to sensitive data.

These issues, uncovered by Microsoft researchers (via Securityaffairs), involved critical flaws in System Integrity Protection (SIP) and the Transparency, Consent, and Control (TCC) framework. Patched in macOS Sequoia 15.2, these vulnerabilities illustrate the importance of continuous improvements to macOS security.

The first flaw, tracked as CVE-2024-44243, allowed attackers with root access to bypass SIP, a core macOS security feature that prevents unauthorized changes to the system. The second, identified as CVE-2024-44133 and nicknamed “HM Surf,” exploited weaknesses in TCC, enabling unauthorized access to sensitive data.

Understanding the SIP Vulnerability

System Integrity Protection, introduced in macOS to safeguard system-critical files and processes, enforces strict security protocols. It ensures that only applications signed and notarized by Apple or installed via the App Store can modify protected parts of the operating system.

However, Microsoft researchers discovered that this safeguard could be bypassed using private entitlements embedded in specific system processes.

Private entitlements are specialized permissions reserved for internal macOS functions, such as com.apple.rootless.install.heritable. This entitlement, when inherited by child processes, enables them to bypass SIP restrictions, thereby exposing the system to rootkit installations and other malicious actions.

Related: macOS Safari Vulnerability Exposes Sensitive Data

Microsoft highlighted the role of the macOS daemon storagekitd, responsible for disk management operations. Attackers could exploit this daemon to add custom file system bundles to /Library/Filesystems.

According to Microsoft, “Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.” Microsoft stated, “Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.”

This approach allows attackers to override trusted system binaries, such as Disk Utility, to execute malicious code.

TCC Exploit and Privacy Risks

The second vulnerability, CVE-2024-44133, targeted the Transparency, Consent, and Control (TCC) framework. TCC, released in macOS Mojave 10.14, is a vital macOS component that manages app permissions for accessing sensitive data, such as the camera, microphone, and location services.

The flaw allowed attackers to bypass TCC protections, enabling unauthorized access to user data, including browsing history and private system files.

This vulnerability was particularly impactful on Safari, where it enabled attackers to exploit the browser’s access permissions. Microsoft noted that this issue could expose sensitive user information without explicit consent, further emphasizing the risks posed by such vulnerabilities.

While the updates resolve these specific flaws, the discoveries underscore broader challenges in securing complex systems. Microsoft emphasized the importance of monitoring anomalous behavior in processes with private entitlements, as these can serve as entry points for sophisticated attacks.

Technical Insights and Broader Implications

The discovered vulnerabilities highlight the intricate balance between functionality and security in modern operating systems. Private entitlements, though essential for internal macOS operations, present significant risks if exploited. Processes like storagekit, which manage critical tasks such as disk operations, must be monitored carefully to detect potential abuse.

The SIP bypass issue also demonstrates how attackers can exploit system components to gain persistence and elevate their privileges. Similarly, the TCC vulnerability reveals the need for robust permission controls to safeguard user privacy. Apple’s updates included stricter validation measures within TCC and SIP to mitigate these risks.

Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x