Medium-Severity Vulnerability in macOS Exposed

Microsoft has revealed details about a recently patched vulnerability affecting Apple macOS. The flaw, identified as CVE-2024-44243 (CVSS score: 5.5), could allow attackers with “root” access to bypass System Integrity Protection (SIP). If exploited, this flaw would enable the installation of malicious kernel drivers by loading unauthorized third-party extensions.

You might be interested in: 7 Malware Threats Canadian Businesses Should Watch Out for in 2025

Apple addressed the issue in macOS Sequoia 15.2, released last month, describing the vulnerability as a “configuration issue” that could allow harmful apps to manipulate protected parts of the file system.

Why This Vulnerability Is a Concern

According to Jonathan Bar Or from the Microsoft Threat Intelligence team, bypassing SIP could lead to several dangerous consequences. These include enabling attackers to:

• Install rootkits or persistent malware.
• Avoid Transparency, Consent, and Control (TCC) protections.
• Expand opportunities for further attacks or exploits.

SIP, also known as “rootless,” is a macOS feature designed to secure sensitive system areas like /System, /usr, and pre-installed applications. It prevents even the root user from tampering with these areas unless specific Apple-signed processes or updates are involved.

How SIP Protects macOS

SIP enforces strict rules to guard system files:

1. File System Restrictions: Only Apple-signed processes can modify protected parts of the file system.
2. Special Entitlements: Processes with specific entitlements, such as com.apple.rootless.install, can bypass SIP’s restrictions. Another entitlement, com.apple.rootless.install.heritable, allows child processes of an authorized process to inherit these permissions.

Details of the Vulnerability

CVE-2024-44243 is the latest in a series of SIP-related security flaws Microsoft has discovered in macOS. Similar issues include CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine).

This specific flaw takes advantage of macOS’s Storage Kit daemon (storagekitd), which can run arbitrary processes without properly validating or reducing privileges. An attacker could exploit this behavior to:

1. Place a malicious file system bundle in /Library/Filesystems.
2. Overwrite binaries used by Disk Utility.
3. Trigger Disk Utility operations like disk repair to activate these malicious changes.

As a result, SIP protections could be bypassed, granting attackers full control over the system.

Broader Implications for macOS Security

This report follows Microsoft’s disclosure of another vulnerability in macOS’s TCC framework (CVE-2024-44133). That flaw also had a medium severity score (CVSS 5.5) and could have been used to access sensitive data.

Microsoft’s research emphasizes that bypassing SIP undermines the overall reliability of macOS. Without SIP’s protections, attackers could manipulate security tools and make the system more vulnerable to further attacks.

Final Thoughts

While prohibiting third-party kernel code can enhance macOS stability, it also limits the ability of security tools to monitor the system effectively. According to Bar Or, bypassing SIP removes these critical safeguards, leaving the system exposed to malicious tampering.

Apple’s quick response to patch these vulnerabilities shows the importance of keeping macOS updated to protect against evolving threats. If you haven’t already, ensure your system is running macOS Sequoia 15.2 to stay secure.