Microsoft: This macOS flaw could have let attackers install undetectable malware

Flaw, now patched, could have allowed rootkits to be installed.
Written by Liam Tung, Contributing Writer

Apple has patched a security flaw in macOS that Microsoft researchers found could be used to install a malicious kernel driver, otherwise known as a 'rootkit'.  

The flaw resided within macOS System Integrity Protection (SIP). The glitch allowed a potential attacker to install a hardware interface that allows them to "overwrite system files, or install persistent, undetectable malware".  

The discovery reflects Microsoft's increased focus on enterprise customers that use a mix of Windows and macOS under hybrid work arrangements, which is evidenced by products like its cross-platform security product, Microsoft Defender for Endpoint. Microsoft introduced Defender ATP for Macs in 2019, well before the pandemic pushed everyone to the hardware they used at home.

See also: Ransomware: It's a 'golden era' for cybercriminals - and it could get worse before it gets better.

"This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit," explains Jonathan Bar-Or, from the Microsoft 365 Defender Research team

"As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases."

SIP, aka 'rootless', locks down the system from the root by using Apple's sandbox to protect macOS. It contains several memory-based variables that shouldn't be able to be modified in non-recovery mode. But SIP can be turned off after booting into recovery mode, allowing an attacker to bypass SIP protections.

"Over the years, Apple has hardened SIP against attacks by improving restrictions," writes Or. 

"One of the most notable SIP restrictions is the filesystem restriction. This is especially important for red teamers and malicious actors, as the amount of damage one can do to a device's critical components is directly based on their ability to write unrestricted data to disk."

The flaw Microsoft found in Apple's SIP restrictions was related to system updates, which require unrestricted access to SIP-protected directories. Apple "introduced a particular set of entitlements that bypass SIP checks by design," writes Or. 

Apple patched the flaw, tracked as CVE-2021-30892, in macOS Monterey 12.0.1, as well as updates for Catalina and Big Sur.

SIP vulnerabilities aren't new, but Microsoft decided the bug was serious enough to warrant the name "shrootless".

"While assessing macOS processes entitled to bypass SIP protections, we came across the daemon system_installd, which has the powerful com.apple.rootless.install.inheritable entitlement. With this entitlement, any child process of system_installd would be able to bypass SIP filesystem restrictions altogether," explains Or. 

See also: Cloud security in 2021: A business guide to essential tools and best practices.

Microsoft, of course, argues this flaw warrants Defender for Endpoint's behavioral analytics capabilities to protect Macs in the enterprise. 

Apple patched dozens more serious bugs in its latest update for macOS Monterey and earlier.

Taking a step back, Microsoft's post touches on a decades-old debate about whether Macs need antivirus and the two companies' respective approaches to that question. 

Macs, in Apple's view, don't need antivirus, whereas Windows PCs do. Apple has used the rise of malware targeting macOS in its arguments against Fortnite-maker Epic Games, for example. And Microsoft this year hired Justin Long, the face of the "Get A Mac" campaigns that once focused on malware targeting Windows PCs but not Macs. But in the enterprise in 2021, where Macs are ascending, work is hybrid, and state-sponsored hackers are looking for every entry point, it's clear that security threats continue to evolve.

Editorial standards