A recently patched security flaw in Apple’s macOS operating system could have allowed an attacker to bypass the System Integrity Protection (SIP) and install malicious kernel drivers. The vulnerability, CVE-2024-44243, has a medium-severity rating of 5.5 and was addressed by Apple as part of macOS Sequoia 15.2 released last month.
If successfully exploited, the flaw could have enabled an attacker to modify protected parts of the file system and install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits. Microsoft Threat Intelligence team leader Jonathan Bar Or warned that bypassing SIP “could lead to serious consequences” and increased the potential for attackers to successfully install rootkits.
SIP is a security framework designed to prevent malicious software from tampering with protected parts of the operating system. It works by enforcing various protections against the root user account, allowing modification of these protected parts only by processes signed by Apple and have special entitlements to write to system files.
The vulnerability exploits the Storage Kit daemon’s “com.apple.rootless.install.heritable” entitlement to get around SIP protections. An attacker can take advantage of this exploit by delivering a new file system bundle to /Library/Filesystems, which could then be triggered during certain operations such as disk repair, allowing them to bypass SIP protections.
The disclosure comes nearly three months after Microsoft also detailed another security flaw in Apple’s TCC framework in macOS (CVE-2024-44133). Experts warn that preventing third-party code from running in the kernel increases macOS reliability but reduces monitoring capabilities for security solutions. If SIP is bypassed, the entire operating system can no longer be considered reliable, and attackers can tamper with security solutions to evade detection.
Experts emphasize that users must promptly update their operating systems whenever Apple releases a security fix to protect themselves from such attacks.
Source: https://thehackernews.com/2025/01/microsoft-uncovers-macos-vulnerability.html