Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

Your Mac may be at risk: Fix the new SIP exploit immediately

This vulnerability, rated with a CVSS score of 5.5 and classified as medium severity, was addressed by Apple in macOS Sequoia 15.2, released last month

byKerem Gülen
January 15, 2025
in Cybersecurity, News
Home News Cybersecurity

Microsoft has disclosed a recently patched security vulnerability in Apple’s macOS, identified as CVE-2024-44243, which could allow an attacker operating with root privileges to bypass the System Integrity Protection (SIP) of the operating system and install malicious kernel drivers through third-party kernel extensions.

Microsoft reveals macOS vulnerability allowing SIP bypass

This vulnerability, rated with a CVSS score of 5.5 and classified as medium severity, was addressed by Apple in macOS Sequoia 15.2, released last month. Apple categorized the issue as a “configuration issue” that could enable a malicious app to alter protected areas of the file system.

According to Jonathan Bar Or of the Microsoft Threat Intelligence team, “Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.”

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

SIP, also referred to as rootless, serves as a security framework to prevent malicious software from tampering with essential components of macOS, including directories like /System, /usr, /bin, /sbin, /var, and pre-installed applications. SIP enforces strict permissions on the root account, allowing modifications to these areas only by processes signed by Apple, including Apple software updates.

Two key entitlements associated with SIP are: com.apple.rootless.install, which allows a process to bypass SIP’s file system restrictions, and com.apple.rootless.install.heritable, which extends the same ability to all child processes of the initial process.

The exploitation of CVE-2024-44243 utilizes the “com.apple.rootless.install.heritable” entitlement in the Storage Kit daemon’s (storagekitd) capabilities to circumvent SIP. Attackers can leverage storagekitd’s capability to invoke arbitrary processes without adequate checks to introduce a new file system bundle in /Library/Filesystems, leading to the alteration of binaries linked with the Disk Utility. This could be activated during operations like disk repair.

Bar Or elaborated, stating, “Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP. Triggering the erase operation on the newly created file system can bypass SIP protections as well.”

This revelation follows a previous Microsoft report detailing another vulnerability in macOS’s TCC framework, tracked as CVE-2024-44133, which also risks user data security. Bar Or noted that while SIP enhances macOS reliability, it simultaneously limits the oversight capabilities of security solutions.

Jaron Bradley, director of Threat Labs at Jamf, emphasized SIP’s significance, stating it is a prime target for both researchers and attackers, with many of Apple’s security protocols predicated on SIP being invulnerable. “An exploit of SIP could allow an attacker to bypass these prompts, hide malicious files in protected areas of the system, and potentially gain deeper access,” he added.

Cybersecurity professionals are urged to keep macOS systems up to date, as the latest patch addresses this critical vulnerability, which was resolved in the December 11 Apple security update. Without SIP, attackers could deploy rootkits or persistent malware undetected, even without physical access to the machines.

Experts recommend that security teams vigilantly monitor processes with special entitlements that might circumvent SIP. Mayuresh Dani, manager of security research at Qualys, suggested that “teams should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP.”

Additionally, unusual disk management activities and atypical privileged user behaviors should be monitored to bolster security against these types of attacks. As vulnerabilities like CVE-2024-44243 illustrate, organizations should cautiously manage third-party kernel extensions and only enable them when absolutely necessary, coupled with stringent monitoring protocols.

The flaw discovered by Microsoft not only showcases a continuity in security issues but also highlights the vulnerabilities present within macOS, such as the recent detection of the “Banshee” infostealer malware, which reportedly evaded Apple’s antivirus measures due to a stolen encryption algorithm.

Microsoft’s analysis indicates that this specific flaw arises from the Storage Kit daemon’s role in overseeing disk operations, allowing possible exploitation by embedding custom code in third-party file systems, including Tuxera, Paragon, EaseUS, and iBoysoft.


Featured image credit: Szabo Viktor/Unsplash 

Tags: Cybersecuritymac

Related Posts

Xiaomi to launch 17, 17 Pro, and 17 Pro Max series in China on September 25

Xiaomi to launch 17, 17 Pro, and 17 Pro Max series in China on September 25

September 23, 2025
Next-gen PCIe 8.0 standard promises 1TB/s bandwidth for AI and quantum workloads

Next-gen PCIe 8.0 standard promises 1TB/s bandwidth for AI and quantum workloads

September 23, 2025
Nvidia Drive AGX Thor to power robotaxi project

Nvidia Drive AGX Thor to power robotaxi project

September 23, 2025
Poll: Half of Taiwan fears TSMC becoming US-SMC

Poll: Half of Taiwan fears TSMC becoming US-SMC

September 23, 2025
From Pilot to Policy: RYT Gathers Global Leaders at TOKEN2049

From Pilot to Policy: RYT Gathers Global Leaders at TOKEN2049

September 23, 2025
Nvidia and OpenAI announce landmark 0 billion partnership, igniting global stock rally

Nvidia and OpenAI announce landmark $100 billion partnership, igniting global stock rally

September 23, 2025

LATEST NEWS

Xiaomi to launch 17, 17 Pro, and 17 Pro Max series in China on September 25

Next-gen PCIe 8.0 standard promises 1TB/s bandwidth for AI and quantum workloads

Nvidia Drive AGX Thor to power robotaxi project

Poll: Half of Taiwan fears TSMC becoming US-SMC

From Pilot to Policy: RYT Gathers Global Leaders at TOKEN2049

Nvidia and OpenAI announce landmark $100 billion partnership, igniting global stock rally

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.