Apple lately addressed a macOS vulnerability that enables attackers to bypass System Integrity Safety (SIP) and set up malicious kernel drivers by loading third-party kernel extensions.
System Integrity Safety (SIP), or ‘rootless,’ is a macOS safety characteristic that forestalls malicious software program from altering particular folders and information by limiting the basis person account’s powers in protected areas.
SIP permits solely Apple-signed processes or these with particular entitlements, resembling Apple software program updates, to switch macOS-protected parts. Disabling SIP usually requires a system restart and booting from macOS Restoration (the built-in restoration system), which requires bodily entry to a compromised machine machine.
The safety flaw (tracked as CVE-2024-44243), which might solely be exploited by native attackers with root privileges in low-complexity assaults requiring person interplay, was discovered within the Storage Package daemon that handles disk state-keeping.
Profitable exploitation might enable attackers to bypass SIP root restrictions with out bodily entry to put in rootkits (kernel drivers), create persistent, “undeletable” malware, or circumvent Transparency, Consent, and Management (TCC) safety checks to entry victims’ information.
Apple has patched the vulnerability in safety updates for macOS Sequoia 15.2, launched one month in the past, on December 11, 2024.

“System Integrity Safety (SIP) serves as a important safeguard towards malware, attackers, and different cybersecurity threats, establishing a elementary layer of safety for macOS techniques,” Microsoft stated in the present day in a report that gives extra technical particulars on CVE-2024-44243.
“Bypassing SIP impacts all the working system’s safety and will result in extreme penalties, emphasizing the need for complete safety options that may detect anomalous habits from specifically entitled processes.”
Microsoft safety researchers have found a number of macOS vulnerabilities lately. A SIP bypass dubbed ‘Shrootless‘ (CVE-2021-30892), reported in 2021, additionally permits attackers to carry out arbitrary operations on compromised Macs and probably set up rootkits.
Extra lately, in addition they discovered one other SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a safety flaw often called Achilles (CVE-2022-42821), which may be exploited to deploy malware through untrusted apps able to bypassing Gatekeeper execution restrictions.
Microsoft principal safety researcher Jonathan Bar Or additionally found ‘powerdir‘ (CVE-2021-30970), one other macOS vulnerability that lets attackers bypass Transparency, Consent, and Management (TCC) know-how to entry macOS customers’ protected information.