Attackers might use a new macOS vulnerability found by Microsoft to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers.
The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR).
SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous applications from altering protected folders and files by limiting the root user account’s ability to conduct operations on protected sections of the OS.
SIP permits only processes signed by Apple or those with particular entitlements (i.e., Apple software updates and Apple installers) to alter certain protected portions of macOS.
Microsoft researchers found the Shrootless security flaw after finding that the system installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP file system limitations.
“The vulnerability was discovered in the way Apple-signed packages containing post-install scripts are installed. A hostile actor might generate a specifically constructed file that would interfere with the installation process “Microsoft’s lead security researcher, Jonathan Bar Or, elaborated.
“After circumventing SIP’s constraints, the attacker might, among other things, install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware.” With the security upgrades provided two days earlier, on October 26, Apple addressed the security hole.
According to Apple’s security alert, “a malicious programme may be able to manipulate protected areas of the file system.” Apple added constraints to solve the inherited permissions problem that was at the root of the Shrootless bug.
“We’d like to congratulate Apple’s product security team for their professionalism and promptness in resolving the issue,” Jonathan Bar Or stated.
Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques.
This trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notable for being able to infect Macs despite Apple’s YARA signature-based XProtect built-in antivirus.
Redmond’s security experts uncovered serious firmware vulnerabilities in select NETGEAR router models in June, which attackers might exploit to access and move laterally through company networks.