Critical macOS flaw puts your data and cameras at risk — update right now

MacBook Pro 16-inch 2021 sitting on a patio table

(Image credit: Tom's Guide)

MacOS has a critical component called the System Integrity Protection, or SIP, which is responsible for protecting the operating system against malware and other threats. It does this by restricting system-level operations – even for users with root privileges – basically preventing unauthorized software from altering specific folders and files in protected areas.

Disabling the SIP normally requires a system restart and booting from macOS recovery, which would require physical access to a compromised machine. However, members of the Microsoft Threat Intelligence team discovered a vulnerability (tracked as CVE-2024-44243 and occasionally reported as ‘Migraine) which bypasses the SIP and allows third-party kernel extensions to load. This flaw could result in severe security implications for all Mac users.

By exploiting this security flaw, threat actors could access sensitive data by replacing databases that managed TCC policies, which means location, browsing history, camera and microphone access would all be available without a user's consent. Bypassing the SIP could also result in the installation of malware or rootkits, disabling or altering security tools to avoid detection and creating opportunities for additional attacks. An attacker could even hypothetically create files protected by the SIP that are undeletable by ordinary means, according to Microsoft's researchers.

The Microsoft Threat Intelligence team identified the specific vulnerability in the Storage Kit daemon, which is a critical macOS process responsible for managing disk state operations. The flaw could allow attackers with root access to bypass SIP protections by injecting and activating custom file system bundles to perform unauthorized actions. The bypass itself is made possible by leveraging Migration Assistant, a built-in macOS tool that activates the migration process to launch an arbitrary payload.

The Microsoft team also found several third party file system implementations to be vulnerable to exploitation, including Tuxera, Paragon, EaseUS and iBoysoft. By embedding custom code into these file systems and utilizing tools like Disk Utility or the ‘diskutil’ command, attackers could circumvent SIP and override Apple’s kernel extension exclusion list.

A different bypass technique that removes TCC protection for the Safari browser was previously found with Apple issuing a patch for that vulnerability back on September 16th. That report, filed in August, showed six Microsoft applications to be vulnerable to exploits that could grant unauthorized access to sensitive information, send emails, record videos and audio without any user interaction. Those applications were Outlook, Teams, PowerPoint, OneNote, Excel, Word.

More from Tom's Guide

Any Contract Length

12 Months Contracts

24 Months Contracts

Showing 10 of 10 deals

Filters☰

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps.

GET TG ACCESS QUICK

More from Tom's Guide