Flaw in macOS briefly allowed attackers to install what they wanted

Credit: Andrew O'Hara, AppleInsider

The vulnerability, dubbed "Shrootless," leverages the fact that Apple-notarized app install packages can still perform activities normally barred by SiP. According to a blog post Microsoft's 365 Defender Research Team, this is because the kernel can still alter protected locations on macOS.

Normally, these types of attacks are prevented by SiP, which was first introduced in maCOS 10.11 El Capitan. The feature adds kernel-level defenses against changing specific files within macOS, even if an app or user has root privileges.

However, as Microsoft notes, SiP must allow installer packages to temporarily bypass the protections in order to install an app or other files. It does so by allowing the packages to bypass SiP through an inheritance system.

The problem lies in the fact that install packages can contain post-install scripts that macOS performs with the default system shell. If an attacker were to modify those scripts, it would mean that they could be executed with the inherited SiP bypass privileges.

Of course, the attack technique would hinge on whether a user downloads and runs an installer package that has been tampered with. An attacker could trick a user into downloading a malicious installer package, or a user could simply download one inadvertently through carelessness.

Once exploited, the vulnerability could theoretically allow an attacker to perform other attacks through elevated permissions, or gain persistence on a system.

How to protect yourself

Apple patched the vulnerability in macOS Monterey 12.0.1, as well as in security updates to macOS Big Sur and macOS Catalina.

However, older versions of Apple's operating systems are still vulnerable to the flaw. Because of that, and the other security updates contained in the recent releases, it's recommended that users upgrade their computers.