Microsoft found a critical security bug in Apple's macOS that could have many users worried.
The vulnerability is tracked as CVE-2023-32369. It has been dubbed Migraine, and allows threat actors with root privileges to bypass System Integrity Protection (SIP), essentially being given the opportunity to install malware that cannot be deleted from the endpoint. Furthemore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data.
The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.
Arbitrary code execution
System Integrity Protection is a feature on Apple devices that restricts the root account. Also known as “rootless”, the feature makes the OS kernel put checks on the root user’s access, preventing it from making certain changes to key folders and files. Devices with SIP only allow Apple-signed processes, or those with special Apple entitlements (think patches and updates), to make changes to protected components and elements.
The only way to disable SIP is to have physical access to the target endpoint, making compromise through this avenue almost impossible. Still, Microsoft’s team found a way to bypass SIP through the Migration Assistant, a tool that allows users to migrate their data to a new device.
"By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks," Microsoft’s researchers explained.
In other words, threat actors could add malware to SIP’s exclusion list and then, without botting from macOS Recovery, automate the migration process.
Apple has fixed the vulnerability in macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, so make sure to bring your operating system up to date immediately.
- Stay protected online with these best ransomware protection
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.