Skip to main content
  1. Home
  2. Computing
  3. Apple
  4. News

Zero-day exploit can bypass rootless on Mac to modify the system without detection

Justin Pot
By

14 problems mac os x 10 11 el capitan fix apple osx hero
A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.

“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined the exploit in detail.

The exploit is unique in that it doesn’t use memory corruption, an common attacker exploit. Instead, the attack exploits a longstanding vulnerability in OS X’s security schemes to gain near-total control over any Mac.

The even crazier thing, however, is that this exploit not only bypasses System Identity Protection but can actively use it to ensure changes made to the system aren’t repaired, something Vilaça calls a SIP “protection racket”.

SIP was introduced with OS X 10.11, El Capitan. It prevents users from changing core system files entirely, even if they enter a root password (hence the nickname “rootless”: there effectively is not a root user). Bypassing SIP and making changes means users cannot undo the changes without first disabling SIP.

Even worse, this exploit is hard to detect using traditional methods.

It all sounds awful, but happily there is no evidence of this exploit being used in the wild, and SentinelOne has informed Apple of the problems. Patches will be out soon.

Vilaça, for what it’s worth, is not blaming Apple.

“Designing security systems is hard,” Vilaça’s slides say at the end of the talk. “Move to defense and give it a try.”

You can read the presentation slides here. It’s a good overview, though a lot of the details seem to be mentioned on-stage and are not on the slides. Here’s hoping a longform version will come out soon.

Editors' Recommendations

Video-editing app LumaFusion to get a Galaxy Tab S8 launch

A tablet featuring the LumaFusion video editing app.

This concept reimagines a classic Mac app in desperate need of a revamp

Apple's M2 MacBook Air is super thin and light.

This classic Mac feature solved my multitasking problems

The 2020 Mac Mini, powered by Apple's M1 chip, on a wooden surface.

This dangerous Mac malware can infiltrate your entire system

A depiction of a hacker breaking into a system via the use of code.

These secret Finder settings will vastly improve your Mac

A man holds the new Macbook Air (2022) in his hands.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Elon Musk talks to the press as he arrives to to have a look at the construction site of the new Tesla Gigafactory near Berlin.

The best OLED laptops for 2022

The Dell XPS 13 Plus on a table outside.

Elon Musk’s Starlink satellites hacked by $25 homemade device

A Starlink dish next to an RV.

The best ultrawide monitors for 2022

A LG ultradwide monitor.

Best smartwatch deals for August 2022

Best Samsung Galaxy Watch deals for August 2022

Galaxy Watch 4 Classic (left) and Galaxy Watch 3 (right).

Best Peloton alternatives for August 2022

L Now Indoor Exercise Bike

Best Instant Pot deals for August 2022

instant pot duo crisp duo80 duo60 bestbuy walmart deals 60 7 in 1