Microsoft found a critical security bug in Apple’s macOS that could have many users worried.
The vulnerability is tracked as CVE-2023-32369. It has been dubbed Migraine, and allows threat actors with root privileges to bypass System Integrity Protection (SIP), essentially being given the opportunity to install malware that cannot be deleted from the endpoint. Furthemore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data.
The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.
Arbitrary code execution
System Integrity Protection is a feature on Apple devices that restricts the root account. Also known as “rootless”, the feature makes the OS kernel put checks on the root user’s access, preventing it from making certain changes to key folders and files. Devices with SIP only allow Apple-signed processes, or those with special Apple entitlements (think patches and updates), to make changes to protected components and elements.
The only way to disable SIP is to have physical access to the target endpoint, making compromise through this avenue almost impossible. Still, Microsoft’s team found a way to bypass SIP through the Migration Assistant, a tool that allows users to migrate their data to a new device.
“By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks,” Microsoft’s researchers explained.
In other words, threat actors could add malware to SIP’s exclusion list and then, without botting from macOS Recovery, automate the migration process.
Apple has fixed the vulnerability in macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, so make sure to bring your operating system up to date immediately.