Apple Security Apple Security

Microsoft Discovers Critical macOS Vulnerability That Bypasses System Integrity Protection

Apple’s System Integrity Protection (SIP) has been a cornerstone of macOS security since its introduction with OS X El Capitan in 2015. This robust security feature ensures that apps are unable to access or modify system files at a root level, bolstering the overall security of Apple devices.

However, Microsoft’s security team recently uncovered a vulnerability named “Migraine” that allows attackers to bypass SIP, potentially leading to arbitrary code execution and enabling the installation of malware and rootkits. This discovery raises concerns about the system’s integrity and highlights the importance of timely software updates.

The Migraine exploit, detailed in a Microsoft Security blog post, targets the macOS Migration Assistant—a built-in tool that facilitates the seamless transfer of data from a Mac or Windows PC to another Mac. By exploiting a special entitlement intended to grant unrestricted root access to the Migration Assistant, attackers can circumvent SIP’s multiple security layers.

Traditionally, the Migration Assistant is accessible solely during the setup process of a new user account, requiring a complete system sign-out and physical access to the computer. However, Microsoft demonstrated that the Migraine exploit can be employed without these limitations, illustrating the potential risk it poses to macOS users.

Microsoft’s researchers modified the Migration Assistant utility to operate without logging out the user. Unfortunately, this modification led to a codesign failure, causing the app to crash. To work around this issue, the researchers leveraged debug mode in the Setup Assistant—an app guiding users through the initial setup—to bypass the lack of a valid signature on the modified Migration Assistant.

By running the Setup Assistant in debug mode, researchers could conveniently skip the setup process steps and proceed directly to the compromised Migration Assistant. Even in the macOS environment, this exploit still necessitated a disk to be restored and interact with the interface.

To further demonstrate the severity of the vulnerability, Microsoft created a 1 GB Time Machine backup containing potential malware. Using an AppleScript, researchers automatically mounted this backup and manipulated the Migration Assistant interface, all without the user’s awareness. Consequently, the Mac would unknowingly import data from the malicious backup, further emphasizing the danger of the Migraine exploit.

Related articles

Thankfully, users running the latest version of macOS Ventura need not fret. Microsoft promptly informed Apple about the vulnerability, resulting in its resolution with the macOS 13.4 update, released to the public on May 18. Apple acknowledged the invaluable contribution of the Microsoft researchers, recognizing their efforts to ensure the security and integrity of its ecosystem.

If you haven’t already done so, it is crucial to update your Mac to the latest version of macOS. By navigating to System Settings, then clicking on General, and Software Update, you can ensure that your device benefits from the latest security patches and fixes, safeguarding your system against potential vulnerabilities.

Do you like this article?

Follow Silicon Features on X, Facebook, Instagram, or Threads, and stay updated.