Microsoft: macOS bug lets hackers install malicious kernel drivers
Apple recently addressed a macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) and install malicious kernel drivers by loading third-party kernel extensions.
System Integrity Protection (SIP), or ‘rootless,’ is a macOS security feature that prevents malicious software from altering specific folders and files by limiting the root user account’s powers in protected areas.
SIP allows only Apple-signed processes or those with special entitlements, such as Apple software updates, to modify macOS-protected components. Disabling SIP normally requires a system restart and booting from macOS Recovery (the built-in recovery system), which requires physical access to a compromised machine device.
The security flaw (tracked as CVE-2024-44243), which can only be exploited by local attackers with root privileges in low-complexity attacks requiring user interaction, was found in the Storage Kit daemon that handles disk state-keeping.
Successful exploitation could allow attackers to bypass SIP root restrictions without physical access to install rootkits (kernel drivers), create persistent, “undeletable” malware, or circumvent Transparency, Consent, and Control (TCC) security checks to access victims’ data.
Apple has patched the vulnerability in security updates for macOS Sequoia 15.2, released one month ago, on December 11, 2024.
“System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems,” Microsoft said today in a report that provides more technical details on CVE-2024-44243.
“Bypassing SIP impacts the entire operating system’s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes.”
Microsoft security researchers have discovered multiple macOS vulnerabilities in recent years. A SIP bypass dubbed ‘Shrootless’ (CVE-2021-30892), reported in 2021, also allows attackers to perform arbitrary operations on compromised Macs and potentially install rootkits.
More recently, they also found another SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a security flaw known as Achilles (CVE-2022-42821), which can be exploited to deploy malware via untrusted apps capable of bypassing Gatekeeper execution restrictions.
Microsoft principal security researcher Jonathan Bar Or also discovered ‘powerdir’ (CVE-2021-30970), another macOS vulnerability that lets attackers bypass Transparency, Consent, and Control (TCC) technology to access macOS users’ protected data.
