Microsoft discovered a critical vulnerability on macOS

An attacker could exploit this Shrootless vulnerability to bypass Apple's System Integrity Protection (SIP) and perform arbitrary actions, elevating privileges to root and install rootkits. on the victim's devices.

After discovering the vulnerability, the Microsoft 365 Defender Research Team security research team reported it to Apple through the Microsoft Security Vulnerability Research (MSVR) program. The vulnerability has also been assigned the CVE code as CVE-2021-30892 for easy tracking.

SIP (also known as rootless) is a macOS security technology that helps prevent malware from tampering with protected folders and files. SIP works by restricting the root user account and limiting the actions it can perform on protected parts of the operating system.

By design, SIP only allows programs that have been certified by Apple or those with special permissions (Apple software updates and Apple installers) to interfere with, modify, protection of macOS.

Microsoft researchers discovered Shrootless after noticing that the system-installd daemon had the com.apple.rootless.install.inheritable permission that allowed any subprocess to bypass the limitations of the SIP system .

According to Microsoft experts, after bypassing SIP, an attacker can install rootkits on the machine, overwrite system files or install malicious code without being detected.

Apple released a patch for the Shrootless vulnerability on October 26. Microsoft experts highly appreciate Apple's professionalism and quickness in handling this security hole.

Marvin Fry

Update 01 November 2021