Microsoft found a macOS exploit that could completely bypass System Integrity Protection

Posted:
in macOS
Microsoft identified a new macOS vulnerability called "Migraine" that can cause headaches for Mac users -- but only if you haven't updated your software recently.

Apple patched macOS
Apple patched macOS "Migraine" exploit

On May 30, Microsoft published a new threat intelligence paper detailing a macOS vulnerability they call "Migraine," which they've already alerted Apple about. With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device.

Apple first introduced SIP, or "rootless", with the launch of macOS Yosemite. The security element is meant to protect macOS software by utilizing the Apple sandbox to lock down the system from root, such as a filesystem restriction element.

Microsoft notes in its paper that, "The files and directories that are protected by SIP by default are commonly ones that are related to the system's integrity." And, what's more, it's impossible to turn off SIP on a live system, meaning it's always present and running.

Microsoft outlines how SIP, and entitlements, work in macOS, and goes into detail how they discovered "Migraine," the approach of the exploitation, and general implications of attacks that are possible by bypassing SIP.

One of the reasons this exploit was so dangerous, is the ability for attackers to do so remotely. An attack like this is easy for someone who has hands-on the computer, but Migraine is exploitable even when that isn't the case.

The Microsoft engineers discovered that simply patching Migration Assistant would not be sufficient to stop the exploit. Instead, they were able to run the exploit via Setup Assistant using a specially crafted Time Machine backup file with AppleScript's help.

How to protect yourself from "Migraine"

As mentioned above, Microsoft already notified Apple of this particular vulnerability. As a result, Apple was able to patch the potential attack point with a software update released in May.

If you want to remain protected against this vulnerability, update your Mac to the latest version.

Apple released macOS Ventura 13.4 on May 18, 2023, which primarily included security patches and other improvements.

Read on AppleInsider

Comments

  • Reply 1 of 18
    dewmedewme Posts: 5,687member
    Thank you Microsoft. Very nice to see a severe exploit discovery processed in a highly professional and cooperative manner. I'm sure the check from Apple is in the mail to some highly deserving Microsoft security researchers.  
    davgregAlex1Njony0
  • Reply 2 of 18
    PemaPema Posts: 122member
    Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others? 
    darkvaderAlex1Njony0watto_cobra
  • Reply 3 of 18
    Pema said:
    Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others? 
    Maybe they are reverse-engineering macOS, in order to implement some of the security features while circumventing any relevant patents.
    darkvaderAlex1Njony0watto_cobra
  • Reply 4 of 18
    genovellegenovelle Posts: 1,481member
    Jesus said it best. Hypocrite! First remove the plank from your own eye, and then you will see clearly to remove the speck from your brother’s eye
    davgregAlex1Nwatto_cobra
  • Reply 5 of 18
    chutzpahchutzpah Posts: 392member
    Take the win guys, macOS just got more secure.  No need to shoot the messenger just because they're from a different tribe.
    gatorguyFidonet127j2fusiondarkvaderdocno42davgregAlex1Njony0michelb76watto_cobra
  • Reply 6 of 18
    dewmedewme Posts: 5,687member
    Pema said:
    Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others? 
    I’m not picking on you or any of the other homers questioning why Microsoft would seemingly be “debugging” Apple software, but there is a fundamental difference between security researchers and scientists who are deeply embedded in cybersecurity as a discipline and practice versus security focused product development and quality engineers who are tasked with identifying and eradicating security issues in their company’s products.

    Security researchers are often the ones who have researched and identified the root causes in logic, design, and implementation that led to the security flaws that manifest themselves as vulnerabilities in any product. Their work and feedback goes a long way towards helping product designers across the board and regardless of product or company affiliation avoid security vulnerabilities in the first place. 

    If Microsoft’s security researchers only focused on security issues within Microsoft’s products they would have a very narrow understanding and limited knowledge of security in general. It would be like your doctor only having knowledge and incentive to inquire about the human diseases and maladies that she has dealt with over her career. But human health and the diseases involved, just like security “diseases,” are global concerns and those who seek to identify cures and limit the occurrence of such diseases should not limit the scope of their research and knowledge acquisition to only include concerns that affect the financial results of their employer. Security issues have no boundaries and security researchers need to root them out wherever they may be hiding, which includes other people’s products, other people’s designs, and other people’s code.
    docno42Alex1N
  • Reply 7 of 18
    Microsoft has yet to patch a very serious Secure Boot vulnerability on PC's.  Apparently, fixing it will break perhaps millions of PCs.

    Once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.


    watto_cobra
  • Reply 8 of 18
    mknelsonmknelson Posts: 1,144member
    dewme said:
    I’m not picking on you or any of the other homers questioning why Microsoft would seemingly be “debugging” Apple software, but there is a fundamental difference between security researchers and scientists who are deeply embedded in cybersecurity as a discipline and practice versus security focused product development and quality engineers who are tasked with identifying and eradicating security issues in their company’s products. 

    Security researchers are often the ones who have researched and identified the root causes in logic, design, and implementation that led to the security flaws that manifest themselves as vulnerabilities in any product. Their work and feedback goes a long way towards helping product designers across the board and regardless of product or company affiliation avoid security vulnerabilities in the first place. 

    If Microsoft’s security researchers only focused on security issues within Microsoft’s products they would have a very narrow understanding and limited knowledge of security in general. It would be like your doctor only having knowledge and incentive to inquire about the human diseases and maladies that she has dealt with over her career. But human health and the diseases involved, just like security “diseases,” are global concerns and those who seek to identify cures and limit the occurrence of such diseases should not limit the scope of their research and knowledge acquisition to only include concerns that affect the financial results of their employer. Security issues have no boundaries and security researchers need to root them out wherever they may be hiding, which includes other people’s products, other people’s designs, and other people’s code.
    Indeed!

    The Microsoft report is pretty impressive (if hard to follow due to the complexity of what they found) - it took some serious skill and the work almost certainly improved their abilities to catch and identify holes in Windows, and other OSes.
    Alex1Ndewmewatto_cobra
  • Reply 9 of 18
    lowededwookielowededwookie Posts: 1,163member
    By helping to make macOS more secure they also help to make Windows more secure. Mac users tend to be quite blasé about viruses etc which is why Apple built checkers into the OS and his it from end users. But a great deal of Windows viruses are spread by Mac users forwarding on infected files to Windows users.

    By helping to fix security issues in macOS, Windows has one less attack vector hackers can use to infect their machines.
    sphericAlex1Ndewmewatto_cobra
  • Reply 10 of 18
    davgregdavgreg Posts: 1,046member
    Pema said:
    Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others? 
    I am no fan of Windows or of MS software, but the security of Windows has improved markedly in recent years. I own both a MacBook Pro and a Surface Pro, an iPad Pro and a Samsung Android Tablet and the number of MS security updates is not that different from what Apple posts these days. 

    I hate to inform you, but Apple uses Windows in Cupertino for some things and you do as well, knowingly or unknowingly. The PC wars are over and all of us operate in a hybrid environment of UNIX, LINUX, Mac OS, iOS, Windows client and server and Android as well. Within maybe a year or two most cars will be running on some form of either Microsoft or Android based OS  (d.b.a. Google Car)- QNX software is quickly going by the wayside and Apple does not seem to be competing in that space.
    Alex1Ndewme
  • Reply 11 of 18
    davgregdavgreg Posts: 1,046member
    This is a nice reminder that all Operating Systems have vulnerabilities as you would expect something as complex as a modern computer would likely have.

    I still read of and hear about people running Macs or iOS/iPad OS with no security at all and all I can say is not me. With almost all banking, investing, bill paying, taxes, and an increasing number of medical and professional communications going over my devices I am not leaving things to chance.

    My home router is essentially a computer and runs software that scans everything on the LAN and also monitors everything coming and going and if you look at the logs it is quite amazing how much malware is out there and how many people are trying to compromise even your IoT devices. At work ( a large hospital system) our IT department is fighting a constant battle to protect our critical systems, sensitive data and your medical records - quite a few major hospitals have been compromised and lost control of everything to ransomware.

    Finally, I would strongly suggest all take a good hard look at using physical security keys to lock your Apple ID, iCloud and other sensitive accounts. Nobody makes a foolproof OS.
    Alex1Nmuthuk_vanalingamdewmewatto_cobra
  • Reply 12 of 18
    digitoldigitol Posts: 276member
    Not surprising at all, considering many M$ SE's work at apple,.. so same bad habits carry over. There is still a similar exploit via setup assistant. 
  • Reply 13 of 18
    michelb76michelb76 Posts: 682member
    Good writeup I must say.
  • Reply 14 of 18
    michelb76michelb76 Posts: 682member
    genovelle said:
    Jesus said it best. Hypocrite! First remove the plank from your own eye, and then you will see clearly to remove the speck from your brother’s eye
    Apparently he said a lot of other things about how to treat other people, making you the hypocrite.
  • Reply 15 of 18
    michelb76michelb76 Posts: 682member
    Pema said:
    Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others? 
    Maybe they are reverse-engineering macOS, in order to implement some of the security features while circumventing any relevant patents.
    This may surprise you, but Apple, MS, google and others regularly help check each other's systems to help prevent zero-days. This 'us vs them' is mostly in your head.
    sphericmuthuk_vanalingamdewmewatto_cobra
  • Reply 16 of 18
    cjcoopscjcoops Posts: 112member
    Well... if you have root access, you have access to all sorts of things.

    "attackers with root access on a machine"

    excerpt with that bolded from the above article.

    "With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device."

    I don't see this vulnerability claiming they can get root access remotely - what am i missing?
    I disabled SIPS myself for a while to keep Totalfinder running for a while - it's a simple enough entry in Terminal with root access.. you can goole it  - here's Apple's guide on how to do it
    https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection


  • Reply 17 of 18
    Shame the write up didn’t explain what Apple changed to prevent the clever exploit. 

    Heritable permissions to avoid SIP, seems like a silly/risky feature to have in MacOS.
    watto_cobra
Sign In or Register to comment.