New "Migraine" Flaw Enables Attackers to Bypass MacOS Security

Written by

A new vulnerability has been discovered in macOS that allows attackers with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on affected devices.

Discovered by Microsoft and dubbed “Migraine,” the flaw was disclosed to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

SIP is a security technology implemented in macOS that prevents a root user from compromising system integrity. Also known as “rootless,” SIP was introduced by Apple in macOS Yosemite as a security measure. It restricts root user access to sensitive system files and directories.

Technically speaking, SIP cannot be disabled on a live system and instead requires physical access to the device through the recovery OS. A SIP bypass allows an attacker to override SIP-protected directories and files.

Bypassing SIP could therefore lead to the installation of rootkits, the creation of persistent malware and an expanded attack surface for further exploits.

Microsoft explained that the technique used to exploit the vulnerability is similar to the one found in the Shrootless vulnerability (tracked CVE-2021-30892) published in 2021.

“By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks,” reads a Microsoft advisory published Tuesday.

The tech giant confirmed Apple has released security updates on May 18 2023, addressing the issue identified as CVE-2023-32369.

“A logic issue was addressed with improved state management,” Apple wrote in its security bulletin, crediting Microsoft researchers Jonathan Bar Or, Anurag Bohra and Michael Pearse for the discovery.

Read more on Apple vulnerabilities: Apple Patches Two Zero-Days Exploited in the Wild

According to Microsoft, the discovery of the Migraine vulnerability highlights the importance of continuous research and collaboration in mitigating security risks across platforms. 

In adjacent news, Microsoft, Apple and Google have recently teamed up on passwordless standards.

Editorial image credit: WeDesing / Shutterstock.com

What’s hot on Infosecurity Magazine?