Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass Apple’s System Integrity Protection (SIP).
Known as CVE-2024-44243, this vulnerability could be exploited to load third-party kernel extensions, resulting in severe security implications for macOS users.
Apple released a patch for this vulnerability as part of its December 11, 2024, security update. The discovery was made in parallel by Microsoft and security researcher Mickey Jin, both of whom responsibly reported the issue to Apple.
System Integrity Protection, commonly referred to as SIP, is a foundational macOS security feature designed to restrict system-level operations that could compromise the integrity of the operating system.
By enforcing restrictions even on users with root privileges, SIP helps safeguard macOS devices from unauthorized modifications, ensuring tighter security against malware, rootkits, and other threats.
However, Microsoft’s report highlights the critical risk posed by a successful SIP bypass. An exploited SIP vulnerability could allow attackers to:
Microsoft’s research revealed that the Storage Kit daemon (storagekitd), a key macOS process handling disk state operations, could be exploited to bypass SIP protections.
Attackers running as root could leverage this vulnerability by introducing and triggering custom file system bundles that enabled unauthorized operations.
The research team discovered multiple third-party file system implementations, including those from Tuxera, Paragon, EaseUS, and iBoysoft, which were susceptible to abuse.
By integrating custom code into these file systems and using tools like Disk Utility or the diskutil
command, attackers could bypass SIP, overriding Apple’s kernel extension exclusion list.
This allowed unauthorized actions, such as running arbitrary processes without proper validation or privilege drops, which SIP is designed to prevent.
A SIP bypass impacts the entire macOS operating system, making it unreliable and potentially vulnerable to a wide range of attacks. Threat actors could exploit this to:
The research underscores a broader challenge faced by macOS security mechanisms: while restricting third-party kernel code improves system reliability, it limits kernel-level visibility for monitoring tools, making sophisticated attacks harder to detect.
To identify the CVE-2024-44243 vulnerability, Microsoft leveraged advanced monitoring techniques through Microsoft Defender for Endpoint.
The team proactively monitored processes with special entitlements—permissions granted to processes performing critical system functions.
These entitlements, such as com.apple.rootless.install.heritable, could lead to SIP bypasses when misused by attackers.
By analyzing anomalous child processes of entitled daemons like storagekitd, Microsoft successfully flagged the vulnerability.
Microsoft Defender for Endpoint provides real-time alerts for potential SIP bypass attempts, enabling organizations to stay ahead of emerging threats.
Additionally, Microsoft Defender Vulnerability Management helps quickly detect and resolve vulnerabilities like CVE-2024-44243, ensuring comprehensive protection for users.
The vulnerability was responsibly disclosed to Apple through the Coordinated Vulnerability Disclosure (CVD) process via Microsoft Security Vulnerability Research (MSVR).
Apple promptly collaborated with Microsoft and Mickey Jin to deliver a patch addressing CVE-2024-44243 in their December 2024 security update.
macOS users are urged to update their systems immediately to mitigate the risk posed by this vulnerability.
Microsoft emphasized the importance of monitoring specially entitled processes for anomalous behavior, given their potential for security bypasses.
Past vulnerabilities (e.g., “Shrootless” and “Migraine”) have highlighted how entitlements tied to privileged processes can be exploited by attackers.
The company also reiterated the significance of collaborative efforts within the security community to strengthen defenses and ensure responsible disclosure.
To protect against potential security threats:
The discovery and resolution of CVE-2024-44243 underscore the importance of continuous security research and collaboration.
As sophisticated cyber threats evolve, proactive detection, responsible disclosure, and swift patching remain critical to maintaining the integrity of modern operating systems.
Apple’s swift response to this vulnerability illustrates the power of collective action in securing devices against emerging risks.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick to…
A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using compromised…
North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign targeting…
In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global companies,…
Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across…
NVIDIA has issued a critical security update to address a high-severity vulnerability discovered in the…