Microsoft Threat Intelligence Unveils macOS Vulnerability

Highlights:

• System Integrity Protection is a macOS security feature designed to block unauthorized changes to system files and processes.
• Due to macOS’s limited kernel visibility, uncovering the vulnerability was challenging. Microsoft tackled this by using proactive monitoring techniques.

Microsoft Threat Intelligence has unveiled macOS vulnerability, that was unknown previously, now patched, that could have enabled attackers to bypass Apple Inc.’s System Integrity Protection by loading third-party kernel extensions.

System Integrity Protection (SIP) is a macOS security feature designed to block unauthorized modifications to system files and processes, even for users with root access. By restricting access to critical system components, SIP helps ensure the operating system’s integrity and reliability, reducing the risk of malware and other exploits.

The vulnerability, identified as CVE-2024-44243, was introduced in a macOS update on December 11 and involved exploiting the storagekitd daemon, a privileged process responsible for disk management. By leveraging the process’s special entitlements, attackers with root access could load unauthorized kernel extensions, effectively bypassing SIP protections. This allowed the installation of persistent malware or rootkits capable of evading detection by conventional security tools.

Microsoft’s research identified a critical vulnerability in storagekitd due to its ability to invoke child processes without adequate validation. Exploiting third-party file system implementations, attackers could bypass kernel extension restrictions and exploit vulnerabilities through seemingly legitimate operations, significantly expanding the attack surface.

Detecting the vulnerability presented challenges due to macOS’s restricted kernel visibility for security tools. Microsoft addressed this by using proactive monitoring techniques, such as tracking unusual child processes of privileged daemons like storagekitd. These methods enabled researchers to uncover CVE-2024-44243 and mitigate potential threats before attackers could exploit them on a larger scale.

Although the vulnerability has been patched — with Microsoft disclosing it publicly only after Apple’s security engineers resolved the issue — it underscores signs of strain in Apple’s longstanding reputation for robust security.

Security Research Manager at the Qualys Threat Research Unit, Mayuresh Dani, said, “Bypassing SIP could allow threat actors to install rootkits and similar functionality, allowing persistent backdoor to the vulnerable system.”

Dani provided several recommendations for mitigating similar macOS SIP bypasses, such as monitoring processes with special entitlements. He emphasized that teams should proactively track such processes, as they can be exploited to bypass SIP. Additionally, maintaining oversight of these processes’ behavior within environments is essential.

Another recommendation is to restrict third-party kernel extensions. Dani advises limiting the use of applications that rely on such extensions and enabling them only when absolutely necessary, accompanied by strict monitoring protocols.

Jason Soroko, Senior Fellow at Sectigo Ltd., a certificate lifecycle management company, highlighted that the vulnerability revealed “the entire operating system to deeper compromise without needing physical access, threatening sensitive data and system controls.”

“Security teams should ensure macOS systems are patched with the latest updates, closely monitor for unusual disk management or privileged process behavior, and implement endpoint detection tools that watch for unsigned kernel extensions. Regular integrity checks, principle-of-least-privilege policies and strict compliance with Apple’s security guidelines further reduce exposure to this critical threat,” Soroko added.