MacOS has a critical component called the System Integrity Protection, or SIP, which is responsible for protecting the operating system against malware and other threats. It does this by restricting system-level operations – even for users with root privileges – basically preventing unauthorized software from altering specific folders and files in protected areas.
Disabling the SIP normally requires a system restart and booting from macOS recovery, which would require physical access to a compromised machine. However, members of the Microsoft Threat Intelligence team discovered a vulnerability (tracked as CVE-2024-44243 and occasionally reported as ‘Migraine) which bypasses the SIP and allows third-party kernel extensions to load. This flaw could result in severe security implications for all Mac users.
By exploiting this security flaw, threat actors could access sensitive data by replacing databases that managed TCC policies, which means location, browsing history, camera and microphone access would all be available without a user's consent. Bypassing the SIP could also result in the installation of malware or rootkits, disabling or altering security tools to avoid detection and creating opportunities for additional attacks. An attacker could even hypothetically create files protected by the SIP that are undeletable by ordinary means, according to Microsoft's researchers.
Described by Apple as a logic issue that could allow a malicious app to modify protected parts of the system, the company released a patch for the vulnerability in December of last year; updates since macOS Sequoia 15.2 have contained fixes for it too.
The Microsoft Threat Intelligence team identified the specific vulnerability in the Storage Kit daemon, which is a critical macOS process responsible for managing disk state operations. The flaw could allow attackers with root access to bypass SIP protections by injecting and activating custom file system bundles to perform unauthorized actions. The bypass itself is made possible by leveraging Migration Assistant, a built-in macOS tool that activates the migration process to launch an arbitrary payload.
The Microsoft team also found several third party file system implementations to be vulnerable to exploitation, including Tuxera, Paragon, EaseUS and iBoysoft. By embedding custom code into these file systems and utilizing tools like Disk Utility or the ‘diskutil’ command, attackers could circumvent SIP and override Apple’s kernel extension exclusion list.
A different bypass technique that removes TCC protection for the Safari browser was previously found with Apple issuing a patch for that vulnerability back on September 16th. That report, filed in August, showed six Microsoft applications to be vulnerable to exploits that could grant unauthorized access to sensitive information, send emails, record videos and audio without any user interaction. Those applications were Outlook, Teams, PowerPoint, OneNote, Excel, Word.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
If you're using one of the best MacBooks or a desktop Mac like the Mac mini M4 or an iMac, you want to install updates as soon as they become available. However, for extra protection, you might even want to invest in the best Mac antivirus software too.
Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps.
