Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Microsoft found a macOS exploit that could completely bypass System Integrity Protection

Apple patched macOS "Migraine" exploit

Microsoft identified a new macOS vulnerability called "Migraine" that can cause headaches for Mac users — but only if you haven't updated your software recently.

On May 30, Microsoft published a new threat intelligence paper detailing a macOS vulnerability they call "Migraine," which they've already alerted Apple about. With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device.

Apple first introduced SIP, or "rootless", with the launch of macOS Yosemite. The security element is meant to protect macOS software by utilizing the Apple sandbox to lock down the system from root, such as a filesystem restriction element.

Microsoft notes in its paper that, "The files and directories that are protected by SIP by default are commonly ones that are related to the system's integrity." And, what's more, it's impossible to turn off SIP on a live system, meaning it's always present and running.

Microsoft outlines how SIP, and entitlements, work in macOS, and goes into detail how they discovered "Migraine," the approach of the exploitation, and general implications of attacks that are possible by bypassing SIP.

One of the reasons this exploit was so dangerous, is the ability for attackers to do so remotely. An attack like this is easy for someone who has hands-on the computer, but Migraine is exploitable even when that isn't the case.

The Microsoft engineers discovered that simply patching Migration Assistant would not be sufficient to stop the exploit. Instead, they were able to run the exploit via Setup Assistant using a specially crafted Time Machine backup file with AppleScript's help.

How to protect yourself from "Migraine"

As mentioned above, Microsoft already notified Apple of this particular vulnerability. As a result, Apple was able to patch the potential attack point with a software update released in May.

If you want to remain protected against this vulnerability, update your Mac to the latest version.

Apple released macOS Ventura 13.4 on May 18, 2023, which primarily included security patches and other improvements.