New macOS vulnerability found by Microsoft

Overview

Impact

“SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity.”

This vulnerability is “increasing attack vectors” – “a path or method” that can be misused and exploited.

This means an attacker can obtain access to a computer much more easily.

Affected Products

macOS devices.

Containment, Mitigations & Remediations

SIP locks down the system from root by leveraging the Apple sandbox to protect the entire platform. Internally, it is controlled by NVRAM variables.

These variables cannot be modified in “non-recovery mode.”

So, the only legal way “to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in csrutil tool, which can also display the SIP status”.

“This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.”

Apple announced that they resolved the problem with further restraints – part of security updates implemented on October 26, 2021.

Indicators of Compromise

“An inherited permissions issue was addressed with additional restrictions. This issue is fixed in macOS Monterey 12.0.1, Security Update 2021-007 Catalina, macOS Big Sur 11.6.1. A malicious application may be able to modify protected parts of the file system.”

Mitre Methodologies

T1014 – Rootkit

Further Information

About the security content of macOS Monterey 12.0.1
About the security content of Security Update 2021-007 Catalina
About the security content of macOS Big Sur 11.6.1