Flaw in macOS briefly allowed attackers to install what they wanted

AppleInsiderAppleInsider
Posted:
in macOS
Security researchers at Microsoft have disclosed a now-patched macOS vulnerability that allowed attackers to bypass a Mac's System Integrity Protection.

Credit: Andrew O'Hara, AppleInsider
Credit: Andrew O'Hara, AppleInsider


The vulnerability, dubbed "Shrootless," leverages the fact that Apple-notarized app install packages can still perform activities normally barred by SiP. According to a blog post Microsoft's 365 Defender Research Team, this is because the kernel can still alter protected locations on macOS.

Normally, these types of attacks are prevented by SiP, which was first introduced in maCOS 10.11 El Capitan. The feature adds kernel-level defenses against changing specific files within macOS, even if an app or user has root privileges.

However, as Microsoft notes, SiP must allow installer packages to temporarily bypass the protections in order to install an app or other files. It does so by allowing the packages to bypass SiP through an inheritance system.

The problem lies in the fact that install packages can contain post-install scripts that macOS performs with the default system shell. If an attacker were to modify those scripts, it would mean that they could be executed with the inherited SiP bypass privileges.

Of course, the attack technique would hinge on whether a user downloads and runs an installer package that has been tampered with. An attacker could trick a user into downloading a malicious installer package, or a user could simply download one inadvertently through carelessness.

Once exploited, the vulnerability could theoretically allow an attacker to perform other attacks through elevated permissions, or gain persistence on a system.

How to protect yourself

Apple patched the vulnerability in macOS Monterey 12.0.1, as well as in security updates to macOS Big Sur and macOS Catalina.

However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.

Read on AppleInsider

Comments

  • Reply 1 of 14
    lkrupplkrupp Posts: 10,557member
    So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

    "However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

    Yeah, right, okay. No patch coming, gotta buy new hardware? Really?
    edited October 2021 williamlondon
  • Reply 2 of 14
    crowleycrowley Posts: 10,453member
    lkrupp said:
    So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

    "However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

    Yeah, right, okay. No patch coming, gotta buy new hardware? Really?
    They mean upgrade the software, genius.
    jas99dewmekillroyMplsPFileMakerFeller
  • Reply 3 of 14
    crowleycrowley Posts: 10,453member
    And if the hardware can't handle newer software, then yes, upgrade the hardware, because it's insecure.
    jas99dewmeMplsP
  • Reply 4 of 14
    caddyman33caddyman33 Posts: 25member
    If people never upgraded we would still be using power pcs 
    jas99killroy
  • Reply 5 of 14
    JustSomeGuy1JustSomeGuy1 Posts: 315member
    lkrupp said:
    So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?
    Who cares? Just be grateful that they are.

    This was a *bad* exploit. Actually it was several, but the one with zsh is just embarrassing! I am very very glad they found it and reported it to Apple.

    Now that I think of it, Apple's mitigation isn't really complete. I will have to play around with this some, but I think the short-term patch would be to create zero-length root-owned unwritable .zshenv files in every admin user's home dir. (Or really, every home dir, to be safe.)
    williamlondonkillroyFileMakerFeller
  • Reply 6 of 14
    mcdavemcdave Posts: 1,927member
    Desperate! M1 series must be a real threat.
    williamlondon
  • Reply 7 of 14
    asdasdasdasd Posts: 5,686member
    I’d assume that the installer had to have root privileges for other reasons. 
  • Reply 8 of 14
    MplsPMplsP Posts: 3,925member
    crowley said:
    And if the hardware can't handle newer software, then yes, upgrade the hardware, because it's insecure.
    Catalina runs on all 2012 and newer macs. Apple is providing updates for 9 year old macs and @lkrupp is complaining???

    mcdave said:
    Desperate! M1 series must be a real threat.
    No, security isn’t a Mac vs Windows game, it’s a good guys vs bad guys game. Good security and understanding exploits benefits everyone. 
    williamlondon
  • Reply 9 of 14
    maciekskontaktmaciekskontakt Posts: 1,169member
    Yes and those defenses were so  "smart" that you cannot delete downloaded outdated macOS version installer unless you disable SIP and restart in recovery mode. Yet other files related to the system can be modified. That is how much is worth testing at Apple before product is released to the market.

    Linux desktops and laptops look far uglier, but they do not seem to have these kind of problems somehow.
    edited October 2021 williamlondon
  • Reply 10 of 14
    JustSomeGuy1JustSomeGuy1 Posts: 315member
    mcdave said:
    Desperate! M1 series must be a real threat.
    Stop being stupid. This was a horrendous and easily exploitable security flaw that completely exposed the system to any local attacker *and* to any remote attack that could social-engineer a local user into running anything that could drop an invisible file (a dot file) into the user's home dir - where it would sit, a time-bomb, until the next time an installer ran.

    The decision to support shell scripts in installers was bound to cause problems. I'd say it was crazy except if they didn't do that or something similar, many developers would have chosen a different installer platform and then that fragmentation would have been even worse. But even so, using *zsh* is asking for trouble - it's an awesome interactive shell but way too big and sprawling for this, and that's exactly what bit them on the ass. If they'd been using some traditional sh clone, this flaw wouldn't have existed. Of course that's not easy to arrange when zsh is root's login shell. But... nobody ever said security is easy.

    After some hopeful signs a few years ago (the bug bounty program), Apple is again showing very poor security practices, and it should be distressing to you and every other Mac user. We all need Apple to be better at this.

    The awesomeness of the M1 has nothing to do with bad security practices.

    All that said:
    maciekskontakt said:
    Linux desktops and laptops look far uglier, but they do not seem to have these kind of problems somehow.
    That's a quite ridiculous claim. Linux also has security problems, though it benefits even more from the same minority-platform effect that has shielded Apple, at least as far as desktops go (server is a different story, and of course there's some overlap so it gets a little fuzzy). Some distros are better at handling this than others. However, it would be fair to say that few of them do things as badly as Apple, because users will simply abandon them for better distros if they do. Apple has a level of lock-in that distros don't.
    williamlondonelijahgFileMakerFeller
  • Reply 11 of 14
    lkrupplkrupp Posts: 10,557member
    crowley said:
    lkrupp said:
    So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

    "However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

    Yeah, right, okay. No patch coming, gotta buy new hardware? Really?
    They mean upgrade the software, genius.
    Tell that to all those users who’s software can’t be updated because their hardware can’t install Catalina or later...genius.
    williamlondonelijahg
  • Reply 12 of 14
    MplsPMplsP Posts: 3,925member
    lkrupp said:
    crowley said:
    lkrupp said:
    So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

    "However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

    Yeah, right, okay. No patch coming, gotta buy new hardware? Really?
    They mean upgrade the software, genius.
    Tell that to all those users who’s software can’t be updated because their hardware can’t install Catalina or later...genius.
    Then you need to read his next post.

    Like I said, Catalina runs on all Mac models since 2012. If your Mac is 10 years old it’s time to upgrade and you really can’t complain about Apple not issuing security updates for an OS that’s 4 versions old. #entitled
  • Reply 13 of 14
    maciekskontaktmaciekskontakt Posts: 1,169member
    "However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers."

    Right. Because Apple does not want to fix security in older systems (it can), buy new equipment as there will be no patch. Sounds like car owner has to buy new car every three-five years because keys cannot be upgraded/changed by manufacturer. Well I'd certainly buy. I did and made it Linux desktop. All security patches for many years as LTS promises and later change OS to newer (no problem) and extend LTS by probably another few years. But hey you do not get fancy features for 15 minutes fame and use like from Apple. Tradeoff must be made. I did mine after 15 years with Apple computers. MintBook Air (ex-MacBook Air 2010) works like charm and it has security updates.
    williamlondonelijahg
  • Reply 14 of 14
    elijahgelijahg Posts: 2,759member
    The cost of issuing security updates for old systems is negligible for most issues. They're often bounds checking issues which is literally a couple of lines of code and a recompile.

    People stay on older OSs not only because the hardware can't support newer OSs, but because of backwards compatibility with old programs - support for which Apple is notorious for ditching at regular intervals. They dropped Classic in 10.5, Rosetta in 10.7, 32-bit apps in 10.15, and no doubt Intel apps in macOS 13 or 14, along with many deprecated and removed APIs in the interim releases.

    I'm yet to upgrade to Monterey for example as I have no doubt half the development tools and workflows I use will break.
    edited November 2021
Sign In or Register to comment.