MacOS has a critical component called the System Integrity Protection, or SIP, which is responsible for protecting the operating system against malware and other threats. It does this by restricting system-level operations – even for users with root privileges – basically preventing unauthorized software from altering specific folders and files in protected areas.
Disabling the SIP normally requires a system restart and booting from macOS recovery, which would require physical access to a compromised machine. However, members of the Microsoft Threat Intelligence team discovered a vulnerability (tracked as CVE-2024-44243 and occasionally reported as ‘Migraine) which bypasses the SIP and allows third-party kernel extensions to load. This flaw could result in severe security implications for all Mac users.
By exploiting this security flaw, threat actors could access sensitive data by replacing databases that managed TCC policies, which means location, browsing history, camera and microphone access would all be available without a user’s consent. Bypassing the SIP could also result in the installation of malware or rootkits, disabling or altering security tools to avoid detection and creating opportunities for additional attacks. An attacker could even hypothetically create files protected by the SIP that are undeletable by ordinary means, according to Microsoft’s researchers.
Described by Apple as a logic issue that could allow a malicious app to modify protected parts of the system, the company released a patch for the vulnerability in December of last year; updates since macOS Sequoia 15.2 have contained fixes for it too.
The Microsoft Threat Intelligence team identified the specific vulnerability in the Storage Kit daemon, which is a critical macOS process responsible for managing disk state operations. The flaw could allow attackers with root access to bypass SIP protections by injecting and activating custom file system bundles to perform unauthorized actions. The bypass itself is made possible by leveraging Migration Assistant, a built-in macOS tool that activates the migration process to launch an arbitrary payload.
The Microsoft team also found several third party file system implementations to be vulnerable to exploitation, including Tuxera, Paragon, EaseUS and iBoysoft. By embedding custom code into these file systems and utilizing tools like Disk Utility or the ‘diskutil’ command, attackers could circumvent SIP and override Apple’s kernel extension exclusion list.
A different bypass technique that removes TCC protection for the Safari browser was previously found with Apple issuing a patch for that vulnerability back on September 16th. That report, filed in August, showed six Microsoft applications to be vulnerable to exploits that could grant unauthorized access to sensitive information, send emails, record videos and audio without any user interaction. Those applications were Outlook, Teams, PowerPoint, OneNote, Excel, Word.
If you’re using one of the best MacBooks or a desktop Mac like the Mac mini M4 or an iMac, you want to install updates as soon as they become available. However, for extra protection, you might even want to invest in the best Mac antivirus software too.
