Apple has patched a significant macOS vulnerability that allowed attackers to bypass System Integrity Protection (SIP) and install malicious kernel drivers.
The flaw tracked as CVE-2024-44243, was found in the Storage Kit daemon, which handles disk state management. It enabled local attackers with root privileges to bypass SIP restrictions without physical access, potentially allowing the installation of rootkits, persistent malware, or the circumvention of Transparency, Consent, and Control (TCC) security checks.
SIP, also known as “rootless,” is a macOS security feature that limits the root user’s ability to modify protected system areas, allowing only Apple-signed processes or those with specific entitlements to make changes. Disabling SIP usually requires physical access and rebooting into macOS Recovery, making this exploit particularly concerning for compromised systems.
Microsoft highlighted the risks in their report, stating, “Bypassing SIP impacts the entire operating system’s security and could lead to severe consequences.” The vulnerability underscores the importance of robust security measures to detect abnormal behavior in macOS processes.
Apple addressed the issue in the macOS Sequoia 15.2 update, released on December 11, 2024, as part of its ongoing efforts to secure macOS against evolving threats. Microsoft researchers have uncovered multiple SIP-related vulnerabilities in the past, including Shrootless (CVE-2021-30892), Migraine (CVE-2023-32369), and Achilles (CVE-2022-42821). These discoveries emphasize the need for continuous vigilance and advanced security solutions to protect macOS users.
