In a security report, Microsoft detailed the finding of a critical vulnerability in macOS whose successful exploitation would allow threat actors to evade the System Integrity Protection (SIP) mechanism and deploy all kinds of attacks, such as performing privilege escalations and installing rootkits. SIP, also known as Rootless, is a security feature in macOS that prevents root users from performing operations that could compromise security on the system.

This mechanism allows only Apple-signed processes to modify these restricted sections of the system. According to the report, threat actors could create a specially crafted file in order to hijack the legitimate installation process.

Microsoft mentions that when evaluating macOS processes, the daemon system_installd was detected, which has rights Access to this level of rights, any process derived from system_installd could evade the restrictions of the SIP file system.

The vulnerability, dubbed Shrootless, was exploited in a secure environment by Microsoft researchers, who managed to override the exclusion list of kernel extensions. Below are the steps that make up the proof of concept (PoC):

  • Download an Apple-signed package (using wget) that is known to have a post exploit script
  • Plant a malicious /etc/zshenv that verifies its parent process; if it is system_installd then it would write to restricted locations
  • Invoke the installation utility to install the package

Apple announced the fix of the flaw in its latest security update for macOS, crediting Microsoft with the bug report: “A malicious application can modify protected parts of the file system,” the company acknowledges.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New vulnerability in MacOS allows cyber criminals to hack Macbook Pros via rootkits appeared first on Information Security Newspaper | Hacking News.


You May Also Like

Vulnerabilities in Nginx allows DoS attack; Patch now

A remote attacker might exploit this nginx vulnerability to access potentially sensitive…

Arbitrary code execution flaw impacts Spring Boot Admin

You will be able to construct Spring-powered, production-ready apps and services with…