Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass Apple’s System Integrity Protection (SIP).
Known as CVE-2024-44243, this vulnerability could be exploited to load third-party kernel extensions, resulting in severe security implications for macOS users.
Apple released a patch for this vulnerability as part of its December 11, 2024, security update. The discovery was made in parallel by Microsoft and security researcher Mickey Jin, both of whom responsibly reported the issue to Apple.
What is System Integrity Protection (SIP)?
System Integrity Protection, commonly referred to as SIP, is a foundational macOS security feature designed to restrict system-level operations that could compromise the integrity of the operating system.
By enforcing restrictions even on users with root privileges, SIP helps safeguard macOS devices from unauthorized modifications, ensuring tighter security against malware, rootkits, and other threats.
However, Microsoft’s report highlights the critical risk posed by a successful SIP bypass. An exploited SIP vulnerability could allow attackers to:
- Install persistent malware or rootkits.
- Bypass macOS’s Transparency, Consent, and Control (TCC) framework.
- Tamper with security solutions to evade detection.
- Broaden the attack surface for additional exploits.
Discovery and Analysis of CVE-2024-44243
Microsoft’s research revealed that the Storage Kit daemon (storagekitd), a key macOS process handling disk state operations, could be exploited to bypass SIP protections.
Attackers running as root could leverage this vulnerability by introducing and triggering custom file system bundles that enabled unauthorized operations.
The research team discovered multiple third-party file system implementations, including those from Tuxera, Paragon, EaseUS, and iBoysoft, which were susceptible to abuse.
By integrating custom code into these file systems and using tools like Disk Utility or the diskutil command, attackers could bypass SIP, overriding Apple’s kernel extension exclusion list.
This allowed unauthorized actions, such as running arbitrary processes without proper validation or privilege drops, which SIP is designed to prevent.
A SIP bypass impacts the entire macOS operating system, making it unreliable and potentially vulnerable to a wide range of attacks. Threat actors could exploit this to:
- Modify critical system files.
- Evade detection by disabling or tampering with security tools.
- Persist on the system through sophisticated malware.
The research underscores a broader challenge faced by macOS security mechanisms: while restricting third-party kernel code improves system reliability, it limits kernel-level visibility for monitoring tools, making sophisticated attacks harder to detect.
Microsoft’s Role in Detection and Mitigation
To identify the CVE-2024-44243 vulnerability, Microsoft leveraged advanced monitoring techniques through Microsoft Defender for Endpoint.
The team proactively monitored processes with special entitlements—permissions granted to processes performing critical system functions.
These entitlements, such as com.apple.rootless.install.heritable, could lead to SIP bypasses when misused by attackers.
By analyzing anomalous child processes of entitled daemons like storagekitd, Microsoft successfully flagged the vulnerability.
Microsoft Defender for Endpoint provides real-time alerts for potential SIP bypass attempts, enabling organizations to stay ahead of emerging threats.
Additionally, Microsoft Defender Vulnerability Management helps quickly detect and resolve vulnerabilities like CVE-2024-44243, ensuring comprehensive protection for users.
Apple’s Fix and Responsible Disclosure
The vulnerability was responsibly disclosed to Apple through the Coordinated Vulnerability Disclosure (CVD) process via Microsoft Security Vulnerability Research (MSVR).
Apple promptly collaborated with Microsoft and Mickey Jin to deliver a patch addressing CVE-2024-44243 in their December 2024 security update.
macOS users are urged to update their systems immediately to mitigate the risk posed by this vulnerability.
Microsoft emphasized the importance of monitoring specially entitled processes for anomalous behavior, given their potential for security bypasses.
Past vulnerabilities (e.g., “Shrootless” and “Migraine”) have highlighted how entitlements tied to privileged processes can be exploited by attackers.
The company also reiterated the significance of collaborative efforts within the security community to strengthen defenses and ensure responsible disclosure.
Protecting macOS Systems: What Users Can Do
To protect against potential security threats:
- Update Systems: Ensure macOS devices are running the latest software with the December 2024 security update.
- Use Security Tools: Deploy comprehensive endpoint protection tools like Microsoft Defender for Endpoint, which monitors for SIP bypass attempts and other anomalous activities.
- Monitor Entitled Processes: Organizations should closely observe critical processes with special entitlements that may be targeted by attackers.
- Adhere to Best Practices: Avoid running untrusted third-party software and limit administrative privileges to reduce attack opportunities.
The discovery and resolution of CVE-2024-44243 underscore the importance of continuous security research and collaboration.
As sophisticated cyber threats evolve, proactive detection, responsible disclosure, and swift patching remain critical to maintaining the integrity of modern operating systems.
Apple’s swift response to this vulnerability illustrates the power of collective action in securing devices against emerging risks.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free