Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Flaw in macOS briefly allowed attackers to install what they wanted

Mike Peterson |

Credit: Andrew O'Hara, AppleInsider

Security researchers at Microsoft have disclosed a now-patched macOS vulnerability that allowed attackers to bypass a Mac's System Integrity Protection.

The vulnerability, dubbed "Shrootless," leverages the fact that Apple-notarized app install packages can still perform activities normally barred by SiP. According to a blog post Microsoft's 365 Defender Research Team, this is because the kernel can still alter protected locations on macOS.

Normally, these types of attacks are prevented by SiP, which was first introduced in maCOS 10.11 El Capitan. The feature adds kernel-level defenses against changing specific files within macOS, even if an app or user has root privileges.

However, as Microsoft notes, SiP must allow installer packages to temporarily bypass the protections in order to install an app or other files. It does so by allowing the packages to bypass SiP through an inheritance system.

The problem lies in the fact that install packages can contain post-install scripts that macOS performs with the default system shell. If an attacker were to modify those scripts, it would mean that they could be executed with the inherited SiP bypass privileges.

Watch the Latest from AppleInsider TV

Of course, the attack technique would hinge on whether a user downloads and runs an installer package that has been tampered with. An attacker could trick a user into downloading a malicious installer package, or a user could simply download one inadvertently through carelessness.

Once exploited, the vulnerability could theoretically allow an attacker to perform other attacks through elevated permissions, or gain persistence on a system.

How to protect yourself

Apple patched the vulnerability in macOS Monterey 12.0.1, as well as in security updates to macOS Big Sur and macOS Catalina.

However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.

14 Comments

lkrupp 20 Years · 10521 comments
About

So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

"

However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

Yeah, right, okay. No patch coming, gotta buy new hardware? Really?

1 Like · 0 Dislikes
crowley 16 Years · 10431 comments
About

lkrupp said:
So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?

"However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.”

Yeah, right, okay. No patch coming, gotta buy new hardware? Really?

They mean upgrade the software, genius.

5 Likes · 0 Dislikes
crowley 16 Years · 10431 comments
About

And if the hardware can't handle newer software, then yes, upgrade the hardware, because it's insecure.

3 Likes · 0 Dislikes
caddyman33 8 Years · 25 comments
About

If people never upgraded we would still be using power pcs 

2 Likes · 0 Dislikes
JustSomeGuy1 7 Years · 330 comments
About

lkrupp said:
So Microsoft and Google are researching and reporting macOS and iOS flaws. Fine and good. Does Apple itself have a security research team looking for flaws in macOS, Windows, Android, iOS?
Who cares? Just be grateful that they are.

This was a *bad* exploit. Actually it was several, but the one with zsh is just embarrassing! I am very very glad they found it and reported it to Apple.

Now that I think of it, Apple's mitigation isn't really complete. I will have to play around with this some, but I think the short-term patch would be to create zero-length root-owned unwritable .zshenv files in every admin user's home dir. (Or really, every home dir, to be safe.)

3 Likes · 0 Dislikes
Read More on our Forums ->
 

Sponsored Content

article thumbnail

How to fax from iPhone with Municorn Fax app

Top Stories

article thumbnail

How and where Trump's new tariffs affect Apple
article thumbnail

Apple's iPad is still showing the world how to do tablets, 15 years later
article thumbnail

2025 Mac Studio review: One clear purchase choice for most buyers
article thumbnail

$5 billion class action suit over Apple's ebook licensing is based on false premises
article thumbnail

Save up to $987 on Apple's 2025 Mac Studio
article thumbnail

Save $100 on Apple's iPad mini 7 at Amazon, now discounted to $399