Apple Vulnerability Exposed: How Hackers Bypassed System Integrity Protection and Installed Undeletable Malware

A recently addressed Apple vulnerability enabled attackers with root privileges to bypass System Integrity Protection and install undeletable malware. In doing so, they gain access to the victim’s private data by manipulating security checks.

The vulnerability, known as Migraine, was discovered by a team of security researchers at Microsoft and reported to Apple with the identity CVE-2023-32369.

The security vulnerability has been fixed in the following updates to the macOS operating system by Apple, such as: macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7. These updates were released two weeks ago on May 18, 2023.

MacOS’ System Integrity Protection mechanism also prevents potential malware from modifying specific folders and files by imposing restrictions on the root user account and its privileges within protected areas of the operating system.

System Integrity Protection works on the principle that only processes signed by Apple or those with special entitlements are allowed to change protected components in macOS, such as Apple software updates and installers.

In addition, it is also necessary to note that there is no way to disable System Integrity Protection without restarting the system and turning off the function known as MacOS Restore. This requires physical access to an already compromised device.

Microsoft researchers have also determined that attackers with root permissions can bypass System Integrity Protection by misusing the macOS Migration Assistant built into macOS. This application takes advantage of the systemmigration daemon and is able to bypass system integrity protection using its com.apple.rootless.install entitlement.

Studies have shown that rooted hackers are able to automate the migration process using AppleScript, and then can execute a malicious payload when it is added to macOS’ System Integrity Protection exception list without having to reboot or boot macOS recovery.

The researchers also emphasized that arbitrary breaches of system integrity protection pose significant risks, especially when exploited by malware creators. These overrides enable malicious code to affect the system in the long term. Among those risks is the creation of malware protected by System Integrity Protection, which cannot be removed using traditional removal methods.

In addition, the expansion of exploiting vulnerabilities can lead to a significant increase in the scope of attacks, as attackers can exploit these vulnerabilities to manipulate the integrity of the system by executing malware in the system kernel. In addition, attackers can install rootkits to hide malicious processes and files from security software.

Reports stated that this is not the first time that vulnerabilities in the macOS system have been reported by Microsoft researchers in recent years. In 2021, another vulnerability was reported that allowed System Integrity Protection to be bypassed. However, it was fixed before it was exploited by hackers.