In a security report, Microsoft detailed the finding of a critical vulnerability in macOS whose successful exploitation would allow threat actors to evade the System Integrity Protection (SIP) mechanism and deploy all kinds of attacks, such as performing privilege escalations and installing rootkits. SIP, also known as Rootless, is a security feature in macOS that prevents root users from performing operations that could compromise security on the system.

This mechanism allows only Apple-signed processes to modify these restricted sections of the system. According to the report, threat actors could create a specially crafted file in order to hijack the legitimate installation process.

Microsoft mentions that when evaluating macOS processes, the daemon system_installd was detected, which has rights com.apple.rootless.install.inheritable. Access to this level of rights, any process derived from system_installd could evade the restrictions of the SIP file system.

The vulnerability, dubbed Shrootless, was exploited in a secure environment by Microsoft researchers, who managed to override the exclusion list of kernel extensions. Below are the steps that make up the proof of concept (PoC):

  • Download an Apple-signed package (using wget) that is known to have a post exploit script
  • Plant a malicious /etc/zshenv that verifies its parent process; if it is system_installd then it would write to restricted locations
  • Invoke the installation utility to install the package

Apple announced the fix of the flaw in its latest security update for macOS, crediting Microsoft with the bug report: “A malicious application can modify protected parts of the file system,” the company acknowledges.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post New vulnerability in MacOS allows cyber criminals to hack Macbook Pros via rootkits appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

Anyone can bypass the Google and AWS Web Application Firewall (WAF) with an 8 KB POST request

Most web applications today must be protected against multiple hacking variants, such…

Panasonic FPWIN Pro PLC programming control software vulnerability affects various industrial devices

Cybersecurity specialists report the discovery of a critical vulnerability in FPWIN Pro,…

Apple AirDrop bug could leak user’s personal information

A significant security flaw has been discovered in Apple’s wireless file-sharing protocol…

2 critical vulnerabilities in Zimbra, an open source webmail platform used by more than 200,000 enterprises

Cybersecurity experts report the discovery of two vulnerabilities in Zimbra, a webmail…