A security team from Microsoft revealed a security vulnerability in Apple’s MacOS operating systems, allowing attackers with root privileges to install “non-deletable” malware and access victim data by circumventing transparency, approval and control checks (TCC). And by bypassing the system (SIP).
The gap was tracked under the heading CVE-2023-32369, and Apple fixed the vulnerability in security updates for macOS Ventura 13.4, macOS Monterey 12.6.6 and macOS Big Sur 11.7.7, which was released on May 18, 2023.
Technical details about the vulnerability:
SIP is an abbreviation of “System Integrity Protection”, a security system built into macOS. SIP aims to protect sensitive system files and resources from unauthorized modification and malware implementation.
The SIP function includes several root restrictions in macOS. When SIP is effective, it restricts the root user’s account (root) and prevents it from editing some sensitive system files and folders.
But Microsoft researchers have found that attackers with root permissions can bypass SIP by misusing the macOS Migration Assistant utility which is an embedded application that uses hidden systemmigrationd software with SIP override capabilities derived from its com.apple.rootless.install, So attackers with root permissions can automate the migration process using AppleScript and launch malicious files after adding them to the list of SIP exceptions without restarting the system.
The security vulnerability allows hackers to have a very harmful effect by creating SIP-protected malware that cannot be removed via conventional deletion methods, as well as bypassing SIP protection that attackers can bypass (TCC), obtaining unrestricted access to victim data, as well as being able to hide harmful files and operations from antivirus software.
