Microsoft found a critical security bug in macOS that could have many users worried

Sead Fadilpašić

May 31, 2023 at 8:07 AM·2 min read

Microsoft found a critical security bug in Apple's macOS that could have many users worried.

The vulnerability is tracked as CVE-2023-32369. It has been dubbed Migraine, and allows threat actors with root privileges to bypass System Integrity Protection (SIP), essentially being given the opportunity to install malware that cannot be deleted from the endpoint. Furthemore, the flaw allows threat actors to work around Transparency, Consent, and Control (TCC) feature, and access sensitive data.

The bug has since been patched across the Apple ecosystem, with users told to apply the fix as soon as they can.

Arbitrary code execution

System Integrity Protection is a feature on Apple devices that restricts the root account. Also known as “rootless”, the feature makes the OS kernel put checks on the root user’s access, preventing it from making certain changes to key folders and files. Devices with SIP only allow Apple-signed processes, or those with special Apple entitlements (think patches and updates), to make changes to protected components and elements.

The only way to disable SIP is to have physical access to the target endpoint, making compromise through this avenue almost impossible. Still, Microsoft’s team found a way to bypass SIP through the Migration Assistant, a tool that allows users to migrate their data to a new device.

> Apple Safari patched to fix potentially dangerous zero-day flaws

> Apple just patched a pair of dangerous iOS and macOS security issues, so update now

> Here's our list of the best firewalls around

"By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks," Microsoft’s researchers explained.

In other words, threat actors could add malware to SIP’s exclusion list and then, without botting from macOS Recovery, automate the migration process.

Apple has fixed the vulnerability in macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, so make sure to bring your operating system up to date immediately.

Stay protected online with these best ransomware protection

Via: BleepingComputer

Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Sports
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns
Ball hasn't played since the 2021-22 season.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
Kyle Larson beats Chris Buescher at Kansas in closest finish in NASCAR history
Larson won by 0.001 seconds.
Yahoo Sports
New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal
It turns out the money was going from Ohtani's bank account to an illegal bookie to ... casinos.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
Yahoo Sports
Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train
A dominant LIV win and a heartbreaking PGA Tour loss headline this week's top golf stories
Yahoo Sports
Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert
The Timberwolves' rising superstar led Minnesota to a Game 1 victory over Denver, then reminded the world that he's 22, not 23 ... yet.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
Autoblog
Why did Musk ax the Supercharger team?
Elon Musk’s decision to dismiss much of Tesla’s Supercharger team this week came as a shock. A look at possible reasons why he did it.
Yahoo Finance
CVS stock plunges after earnings numbers one analyst 'did not even believe'
CVS warns it could cede Medicare Advantage market share as reimbursement rates pressure the company.
Yahoo Sports
Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset
The 150th Kentucky Derby produced yet another magnificent two-minute spectacle.
Yahoo Sports
Lionel Messi smashes MLS and personal records with goal, 5 assists in a single half
Messi needed just 33 minutes to do things that no MLS player had ever done in a full game, and that Messi had never done in his career.
Yahoo Sports
UFC 301: Anthony Smith confronts career reality after reconciling with the man who knocked out his teeth
After 56 pro fights and losses in three of his last four, the UFC veteran knows what fans think about the state of his career – but he also knows they've been wrong before.
Yahoo Sports
Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46
The Seminoles lost 23-16 to Tennessee in the first-ever BCS title game.
Autoblog
Edmunds bought a Fisker Ocean, warns others not to make the same mistake
Edmunds bought a Fisker Ocean and details the highs and lows of ownership while warning others not to make the same mistake.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Microsoft found a critical security bug in macOS that could have many users worried

Arbitrary code execution

Recommended Stories

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Bulls' Lonzo Ball picks up $21.4 million option for 2024-25 season amid knee concerns

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

Kyle Larson beats Chris Buescher at Kansas in closest finish in NASCAR history

New details emerge in alleged gambling ring behind Shohei Ohtani-Ippei Mizuhara scandal

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

Monday Leaderboard: Brooks Koepka is ready to slow the Scottie Scheffler train

Anthony Edwards' arrival should have the Nuggets — and the entire league — on high alert

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

The Scorecard: Andy Pages looks set to go down as one of the fantasy baseball waiver wire pickups of 2024

Why did Musk ax the Supercharger team?

CVS stock plunges after earnings numbers one analyst 'did not even believe'

Kentucky Derby: Mystik Dan wins in three-horse photo finish, outruns favorite Fierceness in stunning upset

Lionel Messi smashes MLS and personal records with goal, 5 assists in a single half

UFC 301: Anthony Smith confronts career reality after reconciling with the man who knocked out his teeth

Ex-Florida State QB and 1999 Fiesta Bowl starter Marcus Outzen dies at 46

Edmunds bought a Fisker Ocean, warns others not to make the same mistake