Microsoft's Threat Intelligence team has uncovered a critical security vulnerability in Apple's macOS that could allow attackers to bypass System Integrity Protection (SIP) through third-party kernel extensions. The vulnerability, identified as CVE-2024-44243, was patched by Apple in their December 11, 2024 security updates.
The flaw specifically affects storagekitd, a daemon responsible for disk state management in macOS. Researchers found that the daemon, which possesses special system entitlements, could be manipulated to execute arbitrary processes without proper validation.
"System Integrity Protection (SIP) serves as a critical safeguard against malware, attackers, and other cybersecurity threats, establishing a fundamental layer of protection for macOS systems," Microsoft said.
This vulnerability could enable attackers with root access to circumvent SIP, a crucial security technology that protects core system functions from unauthorized modifications.
"Bypassing SIP impacts the entire operating system's security and could lead to severe consequences, emphasizing the necessity for comprehensive security solutions that can detect anomalous behavior from specially entitled processes."
The potential impact of this security breach is severe, as successful exploitation could allow attackers to install rootkits, deploy persistent malware, bypass Transparency, Consent and Control (TCC) protections, and expand the attack surface for additional exploits.
 |
| storagekitd and its SIP-related entitlements |
Microsoft and security researcher Mickey Jin discovered the vulnerability simultaneously, and both reported it to Apple through the proper channels.
Microsoft revealed that the vulnerability could be triggered through custom file system implementations. By creating a malicious file system bundle in /Library/Filesystems and utilizing the Disk Utility app, attackers could potentially execute arbitrary code with elevated privileges, effectively bypassing SIP protections.
This discovery adds to Microsoft's track record of identifying critical macOS security flaws. In recent years, their security researchers have uncovered several significant vulnerabilities, including 'Shrootless' (CVE-2021-30892) in 2021 and 'Migraine' (CVE-2023-32369), both targeting SIP bypasses.
They also identified 'Achilles' (CVE-2022-42821), a security flaw that could allow malware deployment through untrusted applications by circumventing Gatekeeper restrictions.
To detect and mitigate such threats, Microsoft has implemented new monitoring capabilities in Microsoft Defender for Endpoint, specifically designed to identify anomalous behavior from specially entitled processes on macOS.
Microsoft Defender Vulnerability Management has also been updated to quickly identify and address CVE-2024-44243 and similar vulnerabilities.
Users are strongly advised to update their systems to the latest version to receive the security patch and protect against potential exploitation of this vulnerability.