Skip to main content

Zero-day exploit can bypass rootless on Mac to modify the system without detection

14 problems mac os x 10 11 el capitan fix apple osx hero
Image used with permission by copyright holder
A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.

“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined the exploit in detail.

The exploit is unique in that it doesn’t use memory corruption, an common attacker exploit. Instead, the attack exploits a longstanding vulnerability in OS X’s security schemes to gain near-total control over any Mac.

The even crazier thing, however, is that this exploit not only bypasses System Identity Protection but can actively use it to ensure changes made to the system aren’t repaired, something Vilaça calls a SIP “protection racket”.

SIP was introduced with OS X 10.11, El Capitan. It prevents users from changing core system files entirely, even if they enter a root password (hence the nickname “rootless”: there effectively is not a root user). Bypassing SIP and making changes means users cannot undo the changes without first disabling SIP.

Even worse, this exploit is hard to detect using traditional methods.

It all sounds awful, but happily there is no evidence of this exploit being used in the wild, and SentinelOne has informed Apple of the problems. Patches will be out soon.

Vilaça, for what it’s worth, is not blaming Apple.

“Designing security systems is hard,” Vilaça’s slides say at the end of the talk. “Move to defense and give it a try.”

You can read the presentation slides here. It’s a good overview, though a lot of the details seem to be mentioned on-stage and are not on the slides. Here’s hoping a longform version will come out soon.

Editors' Recommendations

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Yes, you can use both Mac and Windows — here are some tips to get started
The keyboard of the MacBook Pro 14-inch on a wood surface.

I'm not a typical Windows or Mac user. Where most people choose one operating system and stick with it, I use both Windows 11 and MacOS regularly, going back and forth daily depending on my workflow. And it's easier to do than you probably think.

I have a fast Windows 11 desktop with three 27-inch 4K displays, and I use that for all my research-intensive work that benefits from multiple monitors. But for writing simple copy, and for personal tasks, I use a MacBook Pro 14 M1 Pro simply because I like it so much. It's not MacOS that draws me to the machine, but its battery life, cool yet quick operation, excellent keyboard and touchpad, and awesome HDR display. To stay sane, I've worked out a few tricks and techniques to make the constant switching bearable. Here's what I've learned.
Adjust to your keyboards

Read more
This critical macOS flaw may leave your Mac defenseless
A close-up of a MacBook illuminated under neon lights.

Apple’s macOS operating system has such a strong reputation for security that many people mistakenly believe Macs simply aren’t affected by malware. Well, Microsoft has served up a reminder that that’s not true, as the company has identified a serious vulnerability that affects one of macOS’s most important lines of defense.

According to Bleeping Computer, the bug was first reported by Jonathan Bar Or, Microsoft’s principal security researcher, who named the flaw Achilles. It is now tracked as CVE-2022-42821.

Read more
Beware — even Mac open-source apps can contain malware
A pair of glasses rests on a desk in front of multiple computer monitors filled with code.

Installing apps on a Mac is generally considered to be safer than doing so on Windows and open-source software is usually benign but there are exceptions to both of these assumptions that can do untold damage to your privacy and security.

A recent discovery by Trend Micro provides a startling example of this risk. An open-source app designed to help Mac owners with iPhone and iPad app signing has been altered to include a nasty hack that steals your Apple Keychain data. The original app is called ResignTool and it’s available for free on the popular open-source site, GitHub. The app is six years old and both the code and the ready-to-run app can be downloaded from GitHub. That isn’t the problem.

Read more