(Image credit: robert coolen/Shutterstock) To make matters worse, bypassing SIP could also allow them to get around Apple’s Transparency, Consent and Control (TCC) policies which would give them unrestricted access to private data stored on a vulnerable Mac. What makes malware loaded this way particularly dangerous is that it can’t be removed using standard deletion methods and can be hidden from security software. Microsoft’s Threat Intelligence team provided further details on the Migraine vulnerability in a blog post, saying: “By focusing on system processes that are signed by Apple and have the .heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.” They then demonstrated how an attacker with root permissions could automate the migration process with AppleScript and launch a malicious payload without restarting a Mac and booting from macOS recovery by adding it to SIP’s exclusions list. However, Microsoft’s security researchers discovered a way to bypass SIP security with root permissions by abusing Apple’s own macOS Migration Assistant. From there, they would then need to restart the system and boot off of macOS Recovery which is Apple’s built-in recovery system. Normally to disable SIP, an attacker would have to have physical access to one of the best Macs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |