Skip to main content

Zero-day exploit can bypass rootless on Mac to modify the system without detection

14 problems mac os x 10 11 el capitan fix apple osx hero
Image used with permission by copyright holder
A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.

“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined the exploit in detail.

Recommended Videos

The exploit is unique in that it doesn’t use memory corruption, an common attacker exploit. Instead, the attack exploits a longstanding vulnerability in OS X’s security schemes to gain near-total control over any Mac.

Please enable Javascript to view this content

The even crazier thing, however, is that this exploit not only bypasses System Identity Protection but can actively use it to ensure changes made to the system aren’t repaired, something Vilaça calls a SIP “protection racket”.

SIP was introduced with OS X 10.11, El Capitan. It prevents users from changing core system files entirely, even if they enter a root password (hence the nickname “rootless”: there effectively is not a root user). Bypassing SIP and making changes means users cannot undo the changes without first disabling SIP.

Even worse, this exploit is hard to detect using traditional methods.

It all sounds awful, but happily there is no evidence of this exploit being used in the wild, and SentinelOne has informed Apple of the problems. Patches will be out soon.

Vilaça, for what it’s worth, is not blaming Apple.

“Designing security systems is hard,” Vilaça’s slides say at the end of the talk. “Move to defense and give it a try.”

You can read the presentation slides here. It’s a good overview, though a lot of the details seem to be mentioned on-stage and are not on the slides. Here’s hoping a longform version will come out soon.

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
This tiny ThinkPad can’t quite keep up with the MacBook Air M2
Lenovo ThinkPad X1 Nano Gen 3 rear view showing lid and logo.

While the laptop industry continues to move toward 14-inch laptops and larger, the 13-inch laptop remains an important category. One of the best is the Apple MacBook Air M2, with an extremely thin and well-built chassis, great performance, and incredibly long battery life.

Lenovo has recently introduced the third generation of its ThinkPad X1 Nano, one of the lightest laptops we've tested and a good performer as well. It's stiff competition, but which of these two diminutive laptops stands apart?
Specs and configurations

Read more
This critical exploit could let hackers bypass your Mac’s defenses
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Microsoft has discovered a critical exploit in macOS that could grant hackers easy access to your Mac’s most important data. Dubbed ‘Migraine,’ it shows why it’s vital to update your Mac as soon as possible.

Migraine is so damaging because it can bypass Apple’s System Integrity Protection, or SIP for short. SIP is enabled by default on modern Macs and works by sandboxing sensitive parts of the computer from outside meddling. Only processes that are signed by Apple (or those with special privileges, like Apple installers) are allowed to alter something guarded by SIP.

Read more
This Mac malware can steal your credit card data in seconds
Apple's Craig Federighi speaking about macOS security at WWDC 2022.

Despite their reputation for security, Macs can still get viruses, and that’s just been proven by a malicious new Mac malware that can steal your credit card info and send it back to the attacker, ready to be exploited. It’s a reminder to be careful when opening apps from unknown sources.

The malware, dubbed MacStealer, was discovered by Uptycs, a threat research firm. It hoovers up a wide array of your personal data, including the iCloud Keychain password database, credit card data, cryptocurrency wallet credentials, browser cookies, documents, and more. That means there’s a lot that could be at risk if it gains a foothold on your Mac.

Read more