Microsoft Risk Intelligence has uncovered a vital macOS vulnerability that allowed attackers to bypass Apple’s System Integrity Safety (SIP).
Often called CVE-2024-44243, this vulnerability could possibly be exploited to load third-party kernel extensions, leading to extreme safety implications for macOS customers.
Apple launched a patch for this vulnerability as a part of its December 11, 2024, safety replace. The invention was made in parallel by Microsoft and safety researcher Mickey Jin, each of whom responsibly reported the difficulty to Apple.
What’s System Integrity Safety (SIP)?
System Integrity Safety, generally known as SIP, is a foundational macOS safety function designed to limit system-level operations that would compromise the integrity of the working system.
By imposing restrictions even on customers with root privileges, SIP helps safeguard macOS gadgets from unauthorized modifications, guaranteeing tighter safety towards malware, rootkits, and different threats.
Nonetheless, Microsoft’s report highlights the vital threat posed by a profitable SIP bypass. An exploited SIP vulnerability may enable attackers to:
- Set up persistent malware or rootkits.
- Bypass macOS’s Transparency, Consent, and Management (TCC) framework.
- Tamper with safety options to evade detection.
- Broaden the assault floor for added exploits.
Discovery and Evaluation of CVE-2024-44243
Microsoft’s analysis revealed that the Storage Equipment daemon (storagekitd), a key macOS course of dealing with disk state operations, could possibly be exploited to bypass SIP protections.
Attackers operating as root may leverage this vulnerability by introducing and triggering customized file system bundles that enabled unauthorized operations.
The analysis workforce found a number of third-party file system implementations, together with these from Tuxera, Paragon, EaseUS, and iBoysoft, which had been vulnerable to abuse.
By integrating customized code into these file programs and utilizing instruments like Disk Utility or the diskutil
command, attackers may bypass SIP, overriding Apple’s kernel extension exclusion listing.


This allowed unauthorized actions, equivalent to operating arbitrary processes with out correct validation or privilege drops, which SIP is designed to stop.
A SIP bypass impacts all the macOS working system, making it unreliable and doubtlessly susceptible to a variety of assaults. Risk actors may exploit this to:
- Modify vital system recordsdata.
- Evade detection by disabling or tampering with safety instruments.
- Persist on the system by refined malware.
The analysis underscores a broader problem confronted by macOS safety mechanisms: whereas limiting third-party kernel code improves system reliability, it limits kernel-level visibility for monitoring instruments, making refined assaults tougher to detect.
Microsoft’s Function in Detection and Mitigation
To establish the CVE-2024-44243 vulnerability, Microsoft leveraged superior monitoring methods by Microsoft Defender for Endpoint.
The workforce proactively monitored processes with particular entitlements—permissions granted to processes performing vital system features.
These entitlements, equivalent to com.apple.rootless.set up.heritable, may result in SIP bypasses when misused by attackers.
By analyzing anomalous little one processes of entitled daemons like storagekitd, Microsoft efficiently flagged the vulnerability.
Microsoft Defender for Endpoint offers real-time alerts for potential SIP bypass makes an attempt, enabling organizations to remain forward of rising threats.
Moreover, Microsoft Defender Vulnerability Administration helps shortly detect and resolve vulnerabilities like CVE-2024-44243, guaranteeing complete safety for customers.
Apple’s Repair and Accountable Disclosure
The vulnerability was responsibly disclosed to Apple by the Coordinated Vulnerability Disclosure (CVD) course of through Microsoft Safety Vulnerability Analysis (MSVR).
Apple promptly collaborated with Microsoft and Mickey Jin to ship a patch addressing CVE-2024-44243 of their December 2024 safety replace.
macOS customers are urged to replace their programs instantly to mitigate the chance posed by this vulnerability.
Microsoft emphasised the significance of monitoring specifically entitled processes for anomalous habits, given their potential for safety bypasses.
Previous vulnerabilities (e.g., “Shrootless” and “Migraine”) have highlighted how entitlements tied to privileged processes might be exploited by attackers.
The corporate additionally reiterated the importance of collaborative efforts throughout the safety neighborhood to strengthen defenses and guarantee accountable disclosure.
Defending macOS Methods: What Customers Can Do
To guard towards potential safety threats:
- Replace Methods: Guarantee macOS gadgets are operating the most recent software program with the December 2024 safety replace.
- Use Safety Instruments: Deploy complete endpoint safety instruments like Microsoft Defender for Endpoint, which displays for SIP bypass makes an attempt and different anomalous actions.
- Monitor Entitled Processes: Organizations ought to intently observe vital processes with particular entitlements which may be focused by attackers.
- Adhere to Greatest Practices: Keep away from operating untrusted third-party software program and restrict administrative privileges to scale back assault alternatives.
The discovery and backbone of CVE-2024-44243 underscore the significance of steady safety analysis and collaboration.
As refined cyber threats evolve, proactive detection, accountable disclosure, and swift patching stay vital to sustaining the integrity of contemporary working programs.
Apple’s swift response to this vulnerability illustrates the ability of collective motion in securing gadgets towards rising dangers.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Attempt for Free