Microsoft identified a new macOS vulnerability called "Migraine" that can cause headaches for Mac users — but only if you haven't updated your software recently.
On May 30, Microsoft published a new threat intelligence paper detailing a macOS vulnerability they call "Migraine," which they've already alerted Apple about. With this vulnerability, attackers with root access on a machine can "automatically bypass" System Integrity Protection (SIP) and perform arbitrary operations on that device.
Apple first introduced SIP, or "rootless", with the launch of macOS Yosemite. The security element is meant to protect macOS software by utilizing the Apple sandbox to lock down the system from root, such as a filesystem restriction element.
Microsoft notes in its paper that, "The files and directories that are protected by SIP by default are commonly ones that are related to the system's integrity." And, what's more, it's impossible to turn off SIP on a live system, meaning it's always present and running.
Microsoft outlines how SIP, and entitlements, work in macOS, and goes into detail how they discovered "Migraine," the approach of the exploitation, and general implications of attacks that are possible by bypassing SIP.
One of the reasons this exploit was so dangerous, is the ability for attackers to do so remotely. An attack like this is easy for someone who has hands-on the computer, but Migraine is exploitable even when that isn't the case.
The Microsoft engineers discovered that simply patching Migration Assistant would not be sufficient to stop the exploit. Instead, they were able to run the exploit via Setup Assistant using a specially crafted Time Machine backup file with AppleScript's help.
How to protect yourself from "Migraine"
As mentioned above, Microsoft already notified Apple of this particular vulnerability. As a result, Apple was able to patch the potential attack point with a software update released in May.
If you want to remain protected against this vulnerability, update your Mac to the latest version.
Apple released macOS Ventura 13.4 on May 18, 2023, which primarily included security patches and other improvements.
18 Comments
Thank you Microsoft. Very nice to see a severe exploit discovery processed in a highly professional and cooperative manner. I'm sure the check from Apple is in the mail to some highly deserving Microsoft security researchers.
Microsoft (of DOS & Windows infamy) that has more bugs and malware than there are pebbles on the beach. They are so busy swatting their sheit, when do they have the time to debug others?
Jesus said it best. Hypocrite! First remove the plank from your own eye, and then you will see clearly to remove the speck from your brother’s eye
Take the win guys, macOS just got more secure. No need to shoot the messenger just because they're from a different tribe.