A new vulnerability dubbed “Migraine” for its involvement with macOS migration could let attackers with root access to automatically bypass system integrity protection (SIP) in the operating system and perform arbitrary operations on a device.
In a May 30 blog post, Microsoft Threat Intelligence explained that bypassing SIP could lead to serious consequences, such as increasing the potential for attackers to install rootkits, create persistent malware, and expand the attack surface for additional malicious techniques and exploits.
The Microsoft researchers said SIP is a security technology in the macOS that restricts a root user from performing operations that may compromise a Mac system’s integrity. A fix for this vulnerability — CVE-2023-32369 — was issued by Apple in its security updates on May 18.
“Defending against the evolving threat landscape requires the ability to protect and secure users’ computing experiences, whatever the platform,” wrote the researchers. “As cross-platform threats continue to grow, we will continue to share vulnerability discoveries and threat intelligence in addition to working with the security community to improve upon solutions that protect users and organizations each day.”
Zane Bond, head of product at Keeper Security, said it’s notable and interesting that this new flaw uses Apple’s own protection mechanisms to prevent victims from easily cleaning it up. Bond said every operating system has tried to implement some form of built-in sandbox, anti-virus or malware protection system, such as Apple’s SIP, but occasionally, even those built-in protections are breached. Bond pointed out that Microsoft has Windows data execution prevention (DEP), another built-in technology that helps protect users from executable code launching from places it's not supposed to execute from.
“However, neither SIP or DEP are foolproof,” said Bond. “Generally, the best way for users to remain protected is to ensure they are regularly patching software on all of their devices, including phones, laptops, tablets and routers. Anytime a software update is available, users should install it as soon as possible.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said it's good to see that Apple patched it before it was discovered and exploited in the wild. Parkin said there are some serious implications with this attack, though executing the exploit is a non-trivial task and requires root access.
“A greater implication separate from the vulnerability is that Apple, in further locking down its own systems, [created a situation where] it becomes more difficult for third-party security solutions to add value,” said Parkin. “At the logical conclusion here, users will be forced to rely entirely on Apple's built-in defenses, which means breaking that means breaking it all.”