Flaw in macOS briefly allowed attackers to install what they wanted
Security researchers at Microsoft have disclosed a now-patched macOS vulnerability that allowed attackers to bypass a Mac's System Integrity Protection.
Credit: Andrew O'Hara, AppleInsider
The vulnerability, dubbed "Shrootless," leverages the fact that Apple-notarized app install packages can still perform activities normally barred by SiP. According to a blog post Microsoft's 365 Defender Research Team, this is because the kernel can still alter protected locations on macOS.
Normally, these types of attacks are prevented by SiP, which was first introduced in maCOS 10.11 El Capitan. The feature adds kernel-level defenses against changing specific files within macOS, even if an app or user has root privileges.
However, as Microsoft notes, SiP must allow installer packages to temporarily bypass the protections in order to install an app or other files. It does so by allowing the packages to bypass SiP through an inheritance system.
The problem lies in the fact that install packages can contain post-install scripts that macOS performs with the default system shell. If an attacker were to modify those scripts, it would mean that they could be executed with the inherited SiP bypass privileges.
Of course, the attack technique would hinge on whether a user downloads and runs an installer package that has been tampered with. An attacker could trick a user into downloading a malicious installer package, or a user could simply download one inadvertently through carelessness.
Once exploited, the vulnerability could theoretically allow an attacker to perform other attacks through elevated permissions, or gain persistence on a system.
However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.
Read on AppleInsider
Credit: Andrew O'Hara, AppleInsider
The vulnerability, dubbed "Shrootless," leverages the fact that Apple-notarized app install packages can still perform activities normally barred by SiP. According to a blog post Microsoft's 365 Defender Research Team, this is because the kernel can still alter protected locations on macOS.
Normally, these types of attacks are prevented by SiP, which was first introduced in maCOS 10.11 El Capitan. The feature adds kernel-level defenses against changing specific files within macOS, even if an app or user has root privileges.
However, as Microsoft notes, SiP must allow installer packages to temporarily bypass the protections in order to install an app or other files. It does so by allowing the packages to bypass SiP through an inheritance system.
The problem lies in the fact that install packages can contain post-install scripts that macOS performs with the default system shell. If an attacker were to modify those scripts, it would mean that they could be executed with the inherited SiP bypass privileges.
Of course, the attack technique would hinge on whether a user downloads and runs an installer package that has been tampered with. An attacker could trick a user into downloading a malicious installer package, or a user could simply download one inadvertently through carelessness.
Once exploited, the vulnerability could theoretically allow an attacker to perform other attacks through elevated permissions, or gain persistence on a system.
How to protect yourself
Apple patched the vulnerability in macOS Monterey 12.0.1, as well as in security updates to macOS Big Sur and macOS Catalina.However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.
Read on AppleInsider
Comments
"However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”
Yeah, right, okay. No patch coming, gotta buy new hardware? Really?
Linux desktops and laptops look far uglier, but they do not seem to have these kind of problems somehow.
That's a quite ridiculous claim. Linux also has security problems, though it benefits even more from the same minority-platform effect that has shielded Apple, at least as far as desktops go (server is a different story, and of course there's some overlap so it gets a little fuzzy). Some distros are better at handling this than others. However, it would be fair to say that few of them do things as badly as Apple, because users will simply abandon them for better distros if they do. Apple has a level of lock-in that distros don't.
Like I said, Catalina runs on all Mac models since 2012. If your Mac is 10 years old it’s time to upgrade and you really can’t complain about Apple not issuing security updates for an OS that’s 4 versions old. #entitled
Right. Because Apple does not want to fix security in older systems (it can), buy new equipment as there will be no patch. Sounds like car owner has to buy new car every three-five years because keys cannot be upgraded/changed by manufacturer. Well I'd certainly buy. I did and made it Linux desktop. All security patches for many years as LTS promises and later change OS to newer (no problem) and extend LTS by probably another few years. But hey you do not get fancy features for 15 minutes fame and use like from Apple. Tradeoff must be made. I did mine after 15 years with Apple computers. MintBook Air (ex-MacBook Air 2010) works like charm and it has security updates.
People stay on older OSs not only because the hardware can't support newer OSs, but because of backwards compatibility with old programs - support for which Apple is notorious for ditching at regular intervals. They dropped Classic in 10.5, Rosetta in 10.7, 32-bit apps in 10.15, and no doubt Intel apps in macOS 13 or 14, along with many deprecated and removed APIs in the interim releases.
I'm yet to upgrade to Monterey for example as I have no doubt half the development tools and workflows I use will break.