{"id":25673,"date":"2025-01-14T05:01:22","date_gmt":"2025-01-14T13:01:22","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2025\/01\/14\/news-19396\/"},"modified":"2025-01-14T05:01:22","modified_gmt":"2025-01-14T13:01:22","slug":"news-19396","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2025\/01\/14\/news-19396\/","title":{"rendered":"Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Mon, 13 Jan 2025 17:00:00 +0000<\/strong><\/p>\n<p>Microsoft Threat Intelligence discovered a new macOS vulnerability that could allow attackers to bypass Apple\u2019s <a href=\"https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection\">System Integrity Protection<\/a> (SIP) in macOS by loading third party kernel extensions. SIP is a security technology that restricts the performance of operations that may compromise system integrity; thus, a SIP bypass affects the overall security of the operating system. Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.<\/p>\n<p>We shared these findings with Apple through <a href=\"https:\/\/www.microsoft.com\/msrc\/cvd\">Coordinated Vulnerability Disclosure<\/a> (CVD) via <a href=\"https:\/\/www.microsoft.com\/msrc\/msvr\">Microsoft Security Vulnerability Research<\/a> (MSVR). A fix for this vulnerability, now identified as <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-44243\">CVE-2024-44243<\/a>, was included in the <a href=\"https:\/\/support.apple.com\/en-us\/121839\">security updates<\/a> released by Apple on December 11, 2024. The findings were discovered in parallel between Microsoft and <a href=\"https:\/\/x.com\/patch1t\">Mickey Jin<\/a>, who also responsibly reported the vulnerability to Apple. Users should ensure their systems are up to date. We thank the Apple security team for their collaboration and efforts in fixing this issue.<\/p>\n<p>In many cases, special entitlements are leveraged to bypass security mechanisms like SIP, making it essential to monitor specially entitled processes for anomalous behavior. This need for proactive monitoring is only further emphasized when a specially entitled process invokes kernel extensions from third party organizations without proper validation or reduced privileges, which an attacker could exploit to install a kernel driver (rootkit) in a way that could evade detection by security solutions. Following our previous SIP bypass blog posts (<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\">Shrootless<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/05\/30\/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection\/\">Migraine<\/a>), our team set up mechanisms to proactively alert on potentially attacker-controlled child processes of special entitled processes, which enabled Microsoft Defender and our researcher team to ultimately identify CVE-2024-44243.<\/p>\n<p>In this blog post, we detail the connection between entitlements and SIP and explain how CVE-2024-44243 could be used to bypass SIP security measures. This research also highlights some of the benefits and challenges of kernel-based monitoring. Prohibiting third party code to run in the kernel can increase macOS reliability, the tradeoff being that it reduces monitoring capabilities for security solutions. If SIP is bypassed, the entire operating system can no longer be considered reliable, and with reduced monitoring visibility, threat actors can tamper with any security solutions on the device to evade detection. As such, this research is being presented to the broader security community to underline the critical role of responsible disclosure and collaborative efforts in securing devices across platforms.<\/p>\n<h2 class=\"wp-block-heading\" id=\"understanding-sip-and-entitled-processes\">Understanding SIP and entitled processes<\/h2>\n<p>As previously covered in our previous SIP bypass blogposts (<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\">Shrootless<\/a>, <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/05\/30\/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection\/\">Migraine<\/a>), SIP (also known as \u201crootless\u201d) is a macOS mechanism that enforces several operating system protections against the root user, including the ability to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Load arbitrary kernel drivers<\/li>\n<li>Change non-volatile random-access memory (NVARM) variables<\/li>\n<li>Get task ports for Apple-signed processes<\/li>\n<li>Allow kernel debugging<\/li>\n<li>Modify sensitive files that are a part of the operating system<\/li>\n<\/ul>\n<p>One interesting fact about SIP is that bypassing just one of those restrictions is likely to lead to bypasses of all other SIP restrictions \u2013 for example:<\/p>\n<ul class=\"wp-block-list\">\n<li>SIP policy is controlled by NVRAM variables, so modifying NVRAM variables bypasses SIP.<\/li>\n<li>Kernel code execution (either through kernel extensions or debugging) can change SIP since it is enforced at the kernel level.<\/li>\n<li>Modifying sensitive files on the file system can bypass SIP, for instance, by modifying the list of allowed kernel extensions and then loading that kernel extension.<\/li>\n<\/ul>\n<p>SIP bypasses have traditionally focused on special binaries with specific <a href=\"https:\/\/developer.apple.com\/documentation\/bundleresources\/entitlements\">entitlements<\/a>. As a reminder, entitlements are special capabilities a process might have and are a part of the digital signature of the process. Therefore, entitlements cannot be easily forged by attackers. In addition to the well-documented entitlements available for software developers, certain entitlements are reserved only for processes that have specific operating system functions, such as system updates, debugging capabilities, memory tracing, and security extensions. We refer to them as private entitlements, as their name would commonly start with a <em>com.apple.private<\/em> prefix. There are many of those special entitlements, most are not documented by Apple at all.<\/p>\n<p>Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms. For example:<\/p>\n<figure class=\"wp-block-table table\">\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Entitlement<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>com.apple.rootless.install<\/strong><\/td>\n<td>Processes entitled with the <em>com.apple.rootless.install<\/em> entitlement can bypass SIP file system checks. Several examples that abuse that entitlement have been reported, including: <br \/>&#8211; Reported by Stefan Esser and <a href=\"https:\/\/www.slideshare.net\/slideshow\/syscan360-stefan-esser-os-x-el-capitan-sinking-the-ship\/59926048\">presented<\/a> at SyScan360, this vulnerability misused the fact that <em>fsck_cs<\/em> follows symbolic links and could therefore write to arbitrary file paths.<br \/>&#8211; CVE-2022-26712 \u2013 <a href=\"https:\/\/jhftss.github.io\/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable\/\">reported<\/a> by Mickey Jin. The vulnerability abuses the <em>SystemShoveService.xpc<\/em> XPC service, which is entitled with the <em>com.apple.rootless.install<\/em> entitlement.<\/p>\n<p>Note that this is not a complete list of vulnerabilities associated with that entitlement.<\/td>\n<\/tr>\n<tr>\n<td><strong>com.apple.rootless.install.heritable<\/strong><\/td>\n<td>Processes entitled with the <em>com.apple.rootless.install.heritable<\/em> inherit the <em>com.apple.rootless.install<\/em> entitlement to all their child processes. Notable examples include: <br \/>&#8211; CVE-2019-8561 \u2013 <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html\">discovered<\/a> by Trend Micro. The vulnerability leverages a Time-of-check-time-of-use (TOCTOU) issue in the <em>system_installd<\/em> binary.<br \/>&#8211; CVE-2020\u20139854 \u2013 <a href=\"https:\/\/objective-see.org\/blog\/blog_0x4D.html\">reported<\/a> by Ilias Morad, which exploited a specific installer script that was spawned by <em>system_installd<\/em> and allowed an arbitrary process execution from a command-line argument.<br \/>&#8211; CVE-2021-30892 \u2013 reported by Microsoft Defender, known as \u201c<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\">Shrootless<\/a>\u201d. The vulnerability abuses Apple-signed package that includes shell script components and abuses the <em>system_installd<\/em> binary.<br \/>&#8211; CVE-2022-22583 \u2013 <a href=\"https:\/\/perception-point.io\/blog\/technical-analysis-cve-2022-22583\/\">reported<\/a> by Perception Point. This vulnerability is a variant on our previously reported Shrootless vulnerability and takes advantage of a the <em>\/tmp<\/em> symbolic link used by <em>system_installd<\/em>.<br \/>&#8211; CVE-2023-32369 \u2013 reported by Microsoft Defender, known as \u201c<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2023\/05\/30\/new-macos-vulnerability-migraine-could-bypass-system-integrity-protection\/\">Migraine<\/a>\u201d. The exploit abuses the system migration daemon (<em>migrationd<\/em> ). <\/p>\n<p>Note that this is not a complete list of vulnerabilities associated with that entitlement.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>There are other entitlements that could be used for other types of vulnerabilities, such as the <em>com.apple.private.tcc.allow<\/em> entitlement, which could be used for <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/01\/10\/new-macos-vulnerability-powerdir-could-lead-to-unauthorized-user-data-access\/\">TCC bypasses<\/a>, which we also monitor. However, in this blog post we will focus on SIP-related entitlements only.<\/p>\n<p>Due to the sensitive nature of the <em>com.apple.rootless.install.heritable<\/em> entitlement, it is evident that monitoring anomalous child processes of processes entitled with <em>com.apple.rootless.install.heritable<\/em> is important for security research.<\/p>\n<h2 class=\"wp-block-heading\" id=\"discovery-of-sip-bypasses-through-custom-file-systems\">Discovery of SIP bypasses through custom file systems<\/h2>\n<p>One of the processes entitled with the previously described <em>com.apple.rootless.install.heritable<\/em> entitlement is <em>storagekitd<\/em>, which is a daemon that handles disk state-keeping by the Storage Kit private framework.<\/p>\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"937\" height=\"535\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image.jpg\" alt=\"Screenshot of code depicting storagekitd and its SIP-related entitlements\" class=\"wp-image-137048\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image.jpg 937w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-300x171.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-768x439.jpg 768w\" sizes=\"(max-width: 937px) 100vw, 937px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 1. storagekitd and its SIP-related entitlements<\/em><\/figcaption><\/figure>\n<p>As shown, <em>storagekitd<\/em> has many SIP bypassing capabilities, including the <em>com.apple.rootless.install.heritable<\/em>, which means all its child processes are of great interest.<\/p>\n<p>Using <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/advanced-hunting-query-language\">advanced hunting query language<\/a>, we can look for all child processes of the <em>storagekitd<\/em> daemon:<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \">\n<pre class=\"brush: plain; gutter: false; title: ; notranslate\"> DeviceProcessEvents | where InitiatingProcessFileName == &quot;storagekitd&quot;     and FolderPath !startswith &quot;\/System&quot;     and FolderPath !startswith &quot;\/sbin&quot;     and FolderPath !startswith &quot;\/bin&quot;     and FolderPath !startswith &quot;\/usr&quot; | summarize by ProcessCommandLine <\/pre>\n<\/div>\n<p>Interestingly, we found several processes, which we immediately investigated:<\/p>\n<figure class=\"wp-block-table table\">\n<table class=\"has-fixed-layout\">\n<tbody>\n<tr>\n<td><strong>Example path<\/strong><\/td>\n<td><strong>Explanation<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>\/Library\/Filesystems\/iboysoft_NTFS.fs\/Contents\/Resources\/newfs_ms_ntfs<\/strong><\/td>\n<td>Custom NTFS implementation from <a href=\"https:\/\/iboysoft.com\">iBoysoft<\/a>.<\/td>\n<\/tr>\n<tr>\n<td><strong>\/Library\/Filesystems\/tuxera_ntfs.fs\/Contents\/Resources\/newfs_tuxera_ntfs<\/strong><\/td>\n<td>Custom NTFS implementation from <a href=\"https:\/\/ntfsformac.tuxera.com\">Tuxera<\/a>.<\/td>\n<\/tr>\n<tr>\n<td><strong>\/Library\/Filesystems\/ufsd_ExtFS.fs\/Contents\/Resources\/fsck_ufsd_ExtFS<\/strong><\/td>\n<td>Custom EXT file system implementation from <a href=\"https:\/\/www.paragon-software.com\">Paragon<\/a>.<\/td>\n<\/tr>\n<tr>\n<td><strong>\/Library\/Filesystems\/ufsd_NTFS.fs\/Contents\/Resources\/fsck_ufsd_NTFS<\/strong><\/td>\n<td>Custom NTFS implementation from <a href=\"https:\/\/www.paragon-software.com\">Paragon<\/a>.<\/td>\n<\/tr>\n<tr>\n<td><strong>\/Library\/Filesystems\/easeus_NTFS.fs\/Contents\/Resources\/newfs_easeus_NTFS<\/strong><\/td>\n<td>Custom NTFS implementation from <a href=\"https:\/\/toolbox.easeus.com\/ntfs-for-mac\/\">EaseUS<\/a>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>We therefore attempted to install those solutions. By overriding the binaries under the relevant bundle under <em>\/Library\/Filesystems<\/em> and triggering them with the Disk Utility app, we proved that we were able to bypass SIP protections, overriding the Apple kernel extensions exclusion list. Moreover, we have successfully been able to automate our process with the <a href=\"https:\/\/ss64.com\/mac\/diskutil.html\">diskutil<\/a> utility, which, similarly to the <a href=\"https:\/\/support.apple.com\/guide\/disk-utility\/welcome\/mac\">Disk Utility<\/a> app, uses the Storage Kit private framework:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/Figure-2.-SIP-bypass-done-by-triggering-storagekitd-1.webp\" alt=\"Screenshot of code depicting storagekitd leading to SIP being bypassed\" class=\"wp-image-137065 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/Figure-2.-SIP-bypass-done-by-triggering-storagekitd-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. SIP bypass done by triggering storagekitd<\/em><\/figcaption><\/figure>\n<p>It\u2019s important to note everything described in this blog post is a macOS vulnerability due to <em>storagekitd\u2019s<\/em> ability to invoke arbitrary processes without proper validation or dropping privileges, rather than a vulnerability in each of those products.<\/p>\n<h2 class=\"wp-block-heading\" id=\"experimenting-with-custom-file-systems\">Experimenting with custom file systems<\/h2>\n<p>Mounting filesystems on macOS involves the Disk Arbitration daemon (<em>diskarbitrationd<\/em>), which supports filesystems that are implemented in the kernel (APFS, HFS+) and those that are implemented in userspace. Filesystems implemented in userspace are known as User Filesystems (UserFS). macOS comes pre-shipped with several such filesystem implementations, each appears as a file system bundle (<em>*.fs<\/em>) under <em>\/System\/Library\/Filesystems and \/Library\/Filesystems<\/em>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/Figure-3.-Custom-filesystem-bundles-3.webp\" alt=\"Screenshot of code depicting custom filesystem bundles\" class=\"wp-image-137072 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/Figure-3.-Custom-filesystem-bundles-3.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Custom filesystem bundles<\/em><\/figcaption><\/figure>\n<p>While the structure of file system bundles is not-well documented, the <em>diskarbitrationd<\/em> is fully <a href=\"https:\/\/github.com\/apple-open-source\/macos\/tree\/master\/DiskArbitration\">open-source<\/a>, which shows what properties are expected from such a bundle. The structure is as follows:<\/p>\n<ul class=\"wp-block-list\">\n<li>A dictionary of <em>FSMediaTypes<\/em> exists, in which the key is the file system formal name (or a designated GUID), and the value contains various content hints.<\/li>\n<li>More importantly, the bundle information clearly specifies the binary file names and command line-arguments that will be used for specific operations, such as mounting, repairing, and probing.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/powerofcommunity.net\/poc2024\/Csaba%20Fitzl,%20Apple%20Disk-O%20Party.pdf\">As described<\/a> by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (<em>storagekitd<\/em>), which, in turn, uses the Disk Arbitration daemon (<em>diskarbitrationd<\/em>) to invoke the right mount process via <em>posix_spawn<\/em>. However, we noticed certain operations (such as \u201c<em>disk repair<\/em>\u201d) are directly invoked under <em>storagekitd<\/em>. Since an attacker that can run as root can drop a new file system bundle to <em>\/Library\/Filesystems<\/em>, they can later trigger <em>storagekitd <\/em>to spawn custom binaries, hence bypassing SIP.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"677\" height=\"952\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-2.jpg\" alt=\"Screenshot of code depicting the new file system registration, including the name and executables to be run\" class=\"wp-image-137050\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-2.jpg 677w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-2-213x300.jpg 213w\" sizes=\"auto, (max-width: 677px) 100vw, 677px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 4. New file system registration that includes the name and the executables to be run<\/em><\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"714\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1.jpg\" alt=\"Screenshot depicting the Disk Utility recognizing the registered file system\" class=\"wp-image-137046\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1.jpg 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1-300x209.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1-768x536.jpg 768w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 5. Registered file system recognized by the Disk Utility<\/em><\/figcaption><\/figure>\n<p>Triggering the <em>erase<\/em> operation on the newly created file system can bypass SIP protections as well.<\/p>\n<h2 class=\"wp-block-heading\" id=\"detecting-the-vulnerability-with-microsoft-defender-for-endpoint-monitoring\">Detecting the vulnerability with Microsoft Defender for Endpoint monitoring<\/h2>\n<p>System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems. Bypassing SIP impacts the entire operating system\u2019s security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes. The challenge of detecting such threats is compounded by the inherent limitations in kernel-level visibility on macOS, making it difficult for traditional security measures to spot and mitigate these sophisticated attacks.<\/p>\n<p>As our research demonstrates, an attacker with the ability to run as root could have exploited CVE-2024-44243 by loading third party kernel extensions to bypass SIP. To address these challenges, <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-vulnerability-management\/defender-vulnerability-management\">Microsoft Defender Vulnerability Management<\/a>&nbsp;quickly identifies and resolves CVE-2024-44243 and similar vulnerabilities&nbsp;while <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a> offers robust monitoring capabilities designed to detect and alert on anomalous behavior associated with specially entitled processes on macOS. Proactive monitoring for such anomalies is crucial to enable defenders to stay ahead of emerging threats and mitigate potential risks effectively. By leveraging these advanced detection mechanisms, organizations can gain greater visibility into activities that may indicate an attempt to exploit vulnerabilities that bypass SIP and other protection technologies across platforms.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1.webp\" alt=\"Screenshot of code depicting a SIP bypass alert in Microsoft Defender for Endpoint\" class=\"wp-image-137051 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/01\/image-1.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Microsoft Defender for Endpoint Potential System Integrity Protection bypass alert<\/em><\/figcaption><\/figure>\n<p>This research underscores the importance of shared knowledge and collaborative efforts within the security community. We\u2019d like to again thank Apple for their work in addressing this vulnerability, and Mickey Jin for responsibly disclosing the vulnerability in parallel with Microsoft. We believe that disseminating this information will not only foster responsible disclosure but also encourage collective action to fortify defenses against developing threats. By working together and leveraging the insights gained from these findings, we can better protect our systems and respond effectively to evolving security challenges.<\/p>\n<p><strong>Jonathan Bar Or<\/strong><\/p>\n<p><em>Microsoft Defender Research Team<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection\">https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection<\/a><\/li>\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-44243\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-44243<\/a><\/li>\n<li><a href=\"https:\/\/support.apple.com\/en-us\/121839\">https:\/\/support.apple.com\/en-us\/121839<\/a><\/li>\n<li><a href=\"https:\/\/x.com\/patch1t\">https:\/\/x.com\/patch1t<\/a><\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/bundleresources\/entitlements\">https:\/\/developer.apple.com\/documentation\/bundleresources\/entitlements<\/a><\/li>\n<li><a href=\"https:\/\/www.slideshare.net\/slideshow\/syscan360-stefan-esser-os-x-el-capitan-sinking-the-ship\/59926048\">https:\/\/www.slideshare.net\/slideshow\/syscan360-stefan-esser-os-x-el-capitan-sinking-the-ship\/59926048<\/a><\/li>\n<li><a href=\"https:\/\/jhftss.github.io\/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable\/\">https:\/\/jhftss.github.io\/CVE-2022-26712-The-POC-For-SIP-Bypass-Is-Even-Tweetable\/<\/a><\/li>\n<li><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html\">https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/cve-2019-8561-a-hard-to-banish-packagekit-framework-vulnerabilit.html<\/a><\/li>\n<li><a href=\"https:\/\/objective-see.org\/blog\/blog_0x4D.html\">https:\/\/objective-see.org\/blog\/blog_0x4D.html<\/a><\/li>\n<li><a href=\"https:\/\/perception-point.io\/blog\/technical-analysis-cve-2022-22583\/\">https:\/\/perception-point.io\/blog\/technical-analysis-cve-2022-22583\/<\/a><\/li>\n<li><a href=\"https:\/\/iboysoft.com\/\">https:\/\/iboysoft.com\/<\/a><\/li>\n<li><a href=\"https:\/\/ntfsformac.tuxera.com\/\">https:\/\/ntfsformac.tuxera.com\/<\/a><\/li>\n<li><a href=\"https:\/\/www.paragon-software.com\/\">https:\/\/www.paragon-software.com\/<\/a><\/li>\n<li><a href=\"https:\/\/toolbox.easeus.com\/ntfs-for-mac\/\">https:\/\/toolbox.easeus.com\/ntfs-for-mac\/<\/a><\/li>\n<li><a href=\"https:\/\/ss64.com\/mac\/diskutil.html\">https:\/\/ss64.com\/mac\/diskutil.html<\/a><\/li>\n<li><a href=\"https:\/\/support.apple.com\/guide\/disk-utility\/welcome\/mac\">https:\/\/support.apple.com\/guide\/disk-utility\/welcome\/mac<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/apple-open-source\/macos\/tree\/master\/DiskArbitration\">https:\/\/github.com\/apple-open-source\/macos\/tree\/master\/DiskArbitration<\/a><\/li>\n<li><a href=\"https:\/\/powerofcommunity.net\/poc2024\/Csaba%20Fitzl,%20Apple%20Disk-O%20Party.pdf\">https:\/\/powerofcommunity.net\/poc2024\/Csaba%20Fitzl,%20Apple%20Disk-O%20Party.pdf<\/a><\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at\u00a0<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/01\/13\/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions\/\">Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/01\/13\/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft Threat Intelligence| Date: Mon, 13 Jan 2025 17:00:00 +0000<\/strong><\/p>\n<p>Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other unauthorized operations.<\/p>\n<p>The post <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/01\/13\/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions\/\">Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions<\/a> appeared first on <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10403],"class_list":["post-25673","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-macos"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25673","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25673"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25673\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25673"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25673"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25673"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}