Skip to main content

Microsoft warns of nasty new macOS vulnerability with an excellent name

Man using macOS Monterey on a MacBook
(Image credit: Kaspars Grinvalds / Apple)

Cybersecurity researchers at Microsoft have helped Apple patch a vulnerability that could allow attackers to bypass the System Integrity Protection (SIP) in macOS and perform arbitrary operations.

The Microsoft 365 Defender research team also discovered that a similar technique could allow attackers to elevate their privileges to root an affected device.

“SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. We discovered the vulnerability while assessing processes entitled to bypass SIP protections,” notes Jonathan Bar Or, Senior security researcher at Microsoft. 

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The vulnerability, named shrootless and tracked as CVE-2021-30892 was reported to Apple who pushed a patch for it in the security updates released earlier this week, on October 26, 2021.

Go shrootless

Explaining the vulnerability, Bar Or says that SIP, also known as rootless, was first introduced in macOS Yosemite as a mechanism to lock down the system from root by leveraging the Apple sandbox to protect the entire platform. 

In other words, SIP essentially restricts a root user from performing operations that could compromise a system’s integrity. 

However, the researchers found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. Bar Or notes that the vulnerability could be exploited to create a specially crafted file that hijacks the installation process, in order to bypass SIP’s restrictions. 

Once that’s done, the attacker could then overwrite system files, or install rootkits and malware. Bar Or said the researchers demonstrated the vulnerability by developing a fully functional proof-of-concept (PoC) exploit. 

“Security technology like SIP in macOS devices serves both as the device’s built-in baseline protection and the last line of defense against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons….Our research on the CVE-2021-30892 vulnerability exemplifies this,” Bar Or concludes, building a case for businesses to switch to  solutions like Microsoft Defender for Endpoint.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.