Microsoft discovers macOS vulnerability that could allow hackers to access users' private data

According to BleepingComputer, Apple recently resolved a macOS system vulnerability discovered by Microsoft that allowed attackers with root privileges to bypass System Integrity Protection (SIP) to install undeletable malware and access the victim's private data by circumventing Transparency Consent and Control (TCC) security checks.

The vulnerability, dubbed Migraine, was discovered and reported to Apple by a team of Microsoft security researchers and is now tracked as CVE-2023-32369. Apple had patched the vulnerability in the macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 security updates released two weeks ago on May 18.

System Integrity Protection (SIP) is a macOS security mechanism that prevents potential malware from changing certain folders and files by placing restrictions on the root user account and its functions within protected areas of the operating system. It works on the principle that only processes signed by Apple or with special permissions (such as Apple software updates and installers) are authorized to change components protected by macOS.

Additionally, SIP cannot be disabled without restarting the system and launching macOS Recovery (the built-in recovery system), which requires physical access to the already compromised device.

However, Microsoft researchers have discovered that an attacker with root privileges can bypass the SIP security implementation by abusing the macOS Migration Assistant utility. The research demonstrates that an attacker with root privileges can use AppleScript to automate the migration process and launch a malicious payload after adding it to SIP's exclusion list, without having to reboot the system and boot from macOS Recovery.

Arbitrary SIP bypasses pose significant risks, especially when exploited by malware, including the creation of SIP-protected malware that cannot be removed via standard removal methods. The attack surface is also expanded and could allow an attacker to tamper with system integrity through arbitrary kernel code execution and potentially install rootkits to hide malicious processes and files from security software.

Bypassing SIP protections can also bypass TCC policies entirely, enabling threat actors to replace the TCC database and gain unrestricted access to victims' private data.

This is not the first time a macOS vulnerability has been discovered

This isn’t the first macOS vulnerability of this kind reported by Microsoft researchers in recent years. In 2021, Microsoft reported a SIP bypass vulnerability called Shrootless that allowed an attacker to perform arbitrary actions on an infected Mac, elevate privileges to root, and potentially install a rootkit on a vulnerable device.

Recently, Microsoft Chief Security Researcher Jonathan Bar Or also discovered a security vulnerability called Achilles, which can be exploited by attackers to bypass Gatekeeper's restrictions on untrusted applications to deploy malware. He also discovered another vulnerability called powerdir, which can allow attackers to bypass TCC to access users' protected data.