A newly discovered zero-day vulnerability for OS X allows hackers to execute code previously thought to be protected by Apples new kernel defense, known as System Identity Protection (SIP).
“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” said SentinelOne in a blog post announcing the discovery.
SIP was a feature first introduced in El Capitan. It prevents users from changing system files through a “rootless” system that keeps even administrator accounts from accessing specific files without first disabling SIP.
SentinelOne’s slides detail how a hacker could attack SIP directly, foregoing traditional exploits — such as memory corruption — to access a system all while operating with impunity due to the difficulty of spotting the exploit once it’s implemented.
Once the hacker bypasses SIP, they have near total control of any device running OS X.
Worse, bad actors could then use SIP as a a shield to prevent the system from repairing itself, a move SentinelOne security researcher calls a “protection racket.”
Apple has been notified of the issue and a patch is on the way.
Apple OS X Zero Day Vulnerability Can Bypass System Integrity Protection on Sentinel One