New macOS vulnerability could allow attackers to bypass SIP: Microsoft

A new vulnerability, dubbed Shrootless, could allow attackers to bypass System Integrity Protection, aka rootless, in Apple's macOS and perform arbitrary code execution, Microsoft said on Thursday.

The vulnerability, now identified as CVE-2021-30892, was reported to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), following which the company released a fix on October 26.

The CVE-2021-30892 vulnerability was discovered by the Microsoft 365 Defender Research Team while assessing processes entitled to bypass SIP protections. "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed," Microsoft security researcher Jonathan Bar Or, wrote in a blog post.

According to the researcher, a malicious actor could create a specially crafted file that would hijack the installation process and after bypassing SIP's restrictions, the attacker could install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.

The post gives an overview of SIP, examines some notable SIP bypass vulnerabilities that have already been reported in the past, and present the unique ones the Microsoft researchers discovered.

"Security technology like SIP in macOS devices serves both as the device's built-in baseline protection and the last line of defence against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons," Microsoft wrote in a blog post.

As cross-platform threats continue to increase, the research highlights the importance of collaboration among security researchers, software vendors, and the larger security community.