Microsoft Threat Intelligence has revealed details of a now patched but previously unknown macOS vulnerability that could have allowed attackers to bypass Apple Inc.’s System Integrity Protection in macOS by loading third-party kernel extensions.

System Integrity Protection is a macOS security feature that is designed to prevent unauthorized modifications to system files and processes, even by users with root access. SIP helps maintain the integrity and reliability of the operating system by restricting access to critical system components and, in doing so, reduces the risk of malware and other exploits.

The vulnerability in this case, CVE-2024-44243, was introduced to macOS in a Dec. 11 update and involved exploiting the storagekitd daemon, a privileged process used for disk management. Attackers with root access could exploit the process’s special entitlements to load unauthorized kernel extensions, bypassing SIP protections and making it possible to install persistent malware or rootkits that evade detection by traditional security tools.

Microsoft’s research found that storagekitd’s ability to invoke child processes without proper validation was a critical vulnerability. By leveraging third-party file system implementations, attackers could bypass kernel extension restrictions to trigger vulnerabilities through seemingly legitimate operations, expanding the attack surface significantly.

Uncovering the vulnerability also had its own challenges due to macOS’s limited kernel visibility for security solutions. Microsoft overcame the challenge by employing proactive monitoring techniques, including tracking anomalous child processes of entitled daemons such as storagekitd. The techniques used allowed the researchers to identify CVE-2024-44243 and mitigate potential threats before attackers could exploit them on a broader scale.

Though the vulnerability is now patched — Microsoft having only gone public Monday after ensuring that Apple’s security engineers had fixed it — it does highlight that Apple’s longstanding focus on security is starting to fray.

Mayuresh Dani, manager of security research at the Qualys Threat Research Unit, told SiliconANGLE via email that “bypassing SIP could allow threat actors to install rootkits and similar functionality, allowing persistent backdoor to the vulnerable system.”

Dani gave several recommendations on how to mitigate similar macOS SIP bypasses. One is behavioral monitoring special entitlements. Teams, he said, should proactively monitor processes with special entitlements, as these can be exploited to bypass SIP. The behavior of these processes in the environments should also be maintained.

Another is to restrict third-party kernel extensions. Dani suggests limiting applications that use third-party kernel extensions, and they should be enabled only when absolutely necessary and strict monitoring guidelines.

Jason Soroko, senior fellow at certificate lifecycle management company Sectigo Ltd., noted that the vulnerability exposed “the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls.”

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behavior, and implement endpoint detection tools that watch for unsigned kernel extensions,” Soroko added. “Regular integrity checks, principle-of-least-privilege policies and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat.”

Image: SiliconANGLE/Ideogram