Microsoft Discovers Alarming MacOS Bug That Allows Hackers To Install Rootkits

hero%20microsoft%20discovers%20vulnerability
Hackers are relentless and it's unsurprising. One successful exploit can give them access to a fortune. Thankfully, security experts are mostly on our side. Just three months ago, Microsoft security experts discovered a security flaw in the macOS TCC framework. And just recently, they uncovered yet another vulnerability in macOS. This time, the security flaw allows threat actors to bypass Apple's SIP by loading third-party code that gives access to the macOS kernel.

Apple developed the System Integrity Protection (SIP) to mitigate any operation that can compromise the integrity of macOS. However, what happens if Apple's SIP is bypassed? Bypassing SIP could expose the operating system to significant risk, which could result in attackers installing rootkits, worms, and other forms of malicious software on the device. It could also allow unauthorized modification of vital files that are core parts of macOS or even enable bad actors to load arbitrary kernel drivers. The danger of SIP bypass becomes more evident when one considers that once a bad actor successfully bypasses one of its restrictions, they'd easily bypass several others.

Since SIP permits only Apple-authorized processes to access and alter the system's protected components, users can only disable SIP through macOS restart or macOS recovery. These actions typically require physical access to a MacBook. However, when a bad actor successfully exploits the vulnerability mentioned earlier, they could remotely disable Apple's SIP and install rootkits.

body%20explioting%20security%20flaw
Once a bad actor successfully bypasses one of the SIP restrictions, they'd easily bypass several others.

In December 2024, Apple fixed this security flaw with the macOS Sequoia 15.2 update and the fix is now documented on the CVE program as CVE-2024-44248. Thanks to Microsoft for exposing and disclosing this security flaw to Apple through the Coordinated Vulnerability Disclosure (CVD). However, Microsoft is not solely responsible for bringing this flaw to Apple's notice. Malware analyst and vulnerability hunter Mickey Jin also reported the vulnerability. Microsoft expressed appreciation for the swift action that was taken by Apple's security team to fix this issue.

While explaining how users can protect themselves from this security flaw, Microsoft emphasized the need for an effective security solution that helps users detect unusual behaviors from specially entitled processes. The report further recommends that prohibiting third-party code from running in the kernel will greatly reduce macOS vulnerability. This is a sound recommendation since the kernel plays a vital role in managing hardware resources on macOS. If bad actors gain access to the macOS kernel, they can essentially control everything on your MacBook. Hence, using an outdated macOS version puts you at greater risk. To protect your MacBook from this security flaw, update to macOS Sequoia 15.2 or a later version as soon as possible.