What you need to know
- Microsoft identified a new vulnerability campaign dubbed ‘Migraine’ affecting System Integrity Protection for Mac users.
- Attackers leveraged it to bypass the SIP and gain access to user devices, exposing them to malicious software and rootkits.
- Working with Microsoft, Apple has released a software update to fix the issue.
In May, Microsoft discovered a new vulnerability affecting Mac users dubbed “Migraine,” and informed Apple about the matter. Upon further investigation, the company discovered that hackers were leveraging it to bypass the System Integrity Protection (SIP) and gain access to these devices automatically, thus allowing them to “perform arbitrary operations on a device.”
For those not conversant with System Integrity Protection, it’s a security feature that essentially protects from malicious attacks. The feature first shipped to Mac devices via macOS Yosemite’s debut and works by restricting root user accounts and limiting the actions the user can perform on protected parts of macOS.
A macOS vulnerability could allow an attacker with root access to bypass System Integrity Protection (SIP) and perform arbitrary operations on a device. Learn more about CVE-2023-32369, which we refer to as “Migraine”, and its patch in our latest blog: https://t.co/DAyWI2zsecMay 30, 2023
With this in mind, bypassing the security feature could potentially cause a lot of damage, as attackers could leverage this opportunity to spread malware on your device. For instance, they could create persistent malware or even install rootkits. Microsoft further detailed that attackers leveraged Apple’s Migration Assistant for their exploits.
Unlike most features in Mac devices, the tool doesn’t have restricted root access, so it would be impossible to transfer files. Through this exploit, attackers can bypass the SIP feature on MacOS. Essentially, the Migration Assistant app is available during user setup, and an attacker must first gain local access to the device.
The “Migraine” security vulnerability creates a situation where attackers could easily create files protected with the System Integrity Protection technology and then use it to bypass the same security measure; this made it extremely difficult to detect and thus easier to bypass.
Luckily, Apple has since resolved the issue (CVE-2023-32369) via a software update (macOS 13.4 ) that shipped to users on May 18. Therefore, you should be safe if you’ve updated your device to run on the latest update.
