Microsoft found a macOS exploit that could completely bypass System Integrity Protection
Microsoft identified a new macOS vulnerability called "Migraine" that can cause headaches for Mac users -- but only if you haven't updated your software recently.
Apple patched macOS "Migraine" exploit
On May 30, Microsoft published a new threat intelligence paper detailing a macOS vulnerability they call "Migraine," which they've already alerted Apple about. With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device.
Apple first introduced SIP, or "rootless", with the launch of macOS Yosemite. The security element is meant to protect macOS software by utilizing the Apple sandbox to lock down the system from root, such as a filesystem restriction element.
Microsoft notes in its paper that, "The files and directories that are protected by SIP by default are commonly ones that are related to the system's integrity." And, what's more, it's impossible to turn off SIP on a live system, meaning it's always present and running.
Microsoft outlines how SIP, and entitlements, work in macOS, and goes into detail how they discovered "Migraine," the approach of the exploitation, and general implications of attacks that are possible by bypassing SIP.
One of the reasons this exploit was so dangerous, is the ability for attackers to do so remotely. An attack like this is easy for someone who has hands-on the computer, but Migraine is exploitable even when that isn't the case.
The Microsoft engineers discovered that simply patching Migration Assistant would not be sufficient to stop the exploit. Instead, they were able to run the exploit via Setup Assistant using a specially crafted Time Machine backup file with AppleScript's help.
If you want to remain protected against this vulnerability, update your Mac to the latest version.
Apple released macOS Ventura 13.4 on May 18, 2023, which primarily included security patches and other improvements.
Read on AppleInsider
Apple patched macOS "Migraine" exploit
On May 30, Microsoft published a new threat intelligence paper detailing a macOS vulnerability they call "Migraine," which they've already alerted Apple about. With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device.
Apple first introduced SIP, or "rootless", with the launch of macOS Yosemite. The security element is meant to protect macOS software by utilizing the Apple sandbox to lock down the system from root, such as a filesystem restriction element.
Microsoft notes in its paper that, "The files and directories that are protected by SIP by default are commonly ones that are related to the system's integrity." And, what's more, it's impossible to turn off SIP on a live system, meaning it's always present and running.
Microsoft outlines how SIP, and entitlements, work in macOS, and goes into detail how they discovered "Migraine," the approach of the exploitation, and general implications of attacks that are possible by bypassing SIP.
One of the reasons this exploit was so dangerous, is the ability for attackers to do so remotely. An attack like this is easy for someone who has hands-on the computer, but Migraine is exploitable even when that isn't the case.
The Microsoft engineers discovered that simply patching Migration Assistant would not be sufficient to stop the exploit. Instead, they were able to run the exploit via Setup Assistant using a specially crafted Time Machine backup file with AppleScript's help.
How to protect yourself from "Migraine"
As mentioned above, Microsoft already notified Apple of this particular vulnerability. As a result, Apple was able to patch the potential attack point with a software update released in May.If you want to remain protected against this vulnerability, update your Mac to the latest version.
Apple released macOS Ventura 13.4 on May 18, 2023, which primarily included security patches and other improvements.
Read on AppleInsider
Comments
Security researchers are often the ones who have researched and identified the root causes in logic, design, and implementation that led to the security flaws that manifest themselves as vulnerabilities in any product. Their work and feedback goes a long way towards helping product designers across the board and regardless of product or company affiliation avoid security vulnerabilities in the first place.
If Microsoft’s security researchers only focused on security issues within Microsoft’s products they would have a very narrow understanding and limited knowledge of security in general. It would be like your doctor only having knowledge and incentive to inquire about the human diseases and maladies that she has dealt with over her career. But human health and the diseases involved, just like security “diseases,” are global concerns and those who seek to identify cures and limit the occurrence of such diseases should not limit the scope of their research and knowledge acquisition to only include concerns that affect the financial results of their employer. Security issues have no boundaries and security researchers need to root them out wherever they may be hiding, which includes other people’s products, other people’s designs, and other people’s code.
The Microsoft report is pretty impressive (if hard to follow due to the complexity of what they found) - it took some serious skill and the work almost certainly improved their abilities to catch and identify holes in Windows, and other OSes.
By helping to fix security issues in macOS, Windows has one less attack vector hackers can use to infect their machines.
I hate to inform you, but Apple uses Windows in Cupertino for some things and you do as well, knowingly or unknowingly. The PC wars are over and all of us operate in a hybrid environment of UNIX, LINUX, Mac OS, iOS, Windows client and server and Android as well. Within maybe a year or two most cars will be running on some form of either Microsoft or Android based OS (d.b.a. Google Car)- QNX software is quickly going by the wayside and Apple does not seem to be competing in that space.
I still read of and hear about people running Macs or iOS/iPad OS with no security at all and all I can say is not me. With almost all banking, investing, bill paying, taxes, and an increasing number of medical and professional communications going over my devices I am not leaving things to chance.
My home router is essentially a computer and runs software that scans everything on the LAN and also monitors everything coming and going and if you look at the logs it is quite amazing how much malware is out there and how many people are trying to compromise even your IoT devices. At work ( a large hospital system) our IT department is fighting a constant battle to protect our critical systems, sensitive data and your medical records - quite a few major hospitals have been compromised and lost control of everything to ransomware.
Finally, I would strongly suggest all take a good hard look at using physical security keys to lock your Apple ID, iCloud and other sensitive accounts. Nobody makes a foolproof OS.
"attackers with root access on a machine"
excerpt with that bolded from the above article.
"With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device."
I don't see this vulnerability claiming they can get root access remotely - what am i missing?
I disabled SIPS myself for a while to keep Totalfinder running for a while - it's a simple enough entry in Terminal with root access.. you can goole it - here's Apple's guide on how to do it
https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection