This macOS flaw lets hackers install 'undeletable' malware on your Mac — how to stay safe

MacBook Pro 2021 (16-inch) on a patio table
(Image credit: Tom's Guide)

A newly discovered macOS bug could allow hackers with root privileges to bypass Apple’s security protections and install “undeletable” malware on vulnerable Macs.

The flaw, dubbed Migraine and tracked as CVE-2023-32369, was actually discovered by a team of security researchers at Microsoft who then reported it to Apple.

If exploited by an attacker on a Mac that hasn’t been updated, the flaw allows them to bypass macOS’ System Integrity Protection (SIP). As BleepingComputer points out, SIP is a security mechanism in macOS that prevents potentially malicious software from changing certain folders and files in the root user account.

Essentially SIP makes it so that only processes signed by Apple along with the company’s software updates and installers are allowed to make alterations to protected components in macOS.

Fortunately, Apple patched this vulnerability earlier this month with the release of security updates for macOS Ventura 13.4, macOS Monterey 12.6.6 and macOS Big Sur 11.7.7. Still though, if you haven’t updated your Mac to the latest version yet, you could be at risk, especially now hackers know how this flaw works.

Bypassing SIP security

Normally to disable SIP, an attacker would have to have physical access to one of the best Macs. From there, they would then need to restart the system and boot off of macOS Recovery which is Apple’s built-in recovery system.

However, Microsoft’s security researchers discovered a way to bypass SIP security with root permissions by abusing Apple’s own macOS Migration Assistant. They then demonstrated how an attacker with root permissions could automate the migration process with AppleScript and launch a malicious payload without restarting a Mac and booting from macOS recovery by adding it to SIP’s exclusions list.

Microsoft’s Threat Intelligence team provided further details on the Migraine vulnerability in a blog post, saying: “By focusing on system processes that are signed by Apple and have the com.apple.rootless.install.heritable entitlement, we found two child processes that could be tampered with to gain arbitrary code execution in a security context that bypasses SIP checks.”

What makes malware loaded this way particularly dangerous is that it can’t be removed using standard deletion methods and can be hidden from security software. To make matters worse, bypassing SIP could also allow them to get around Apple’s Transparency, Consent and Control (TCC) policies which would give them unrestricted access to private data stored on a vulnerable Mac.

How to stay safe from macOS bugs

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

With macOS bugs like the one described above, the main way you can stay safe from any potential attacks exploiting them is to ensure your Mac is up to date and running the latest software.

When Apple issues security updates, they’re generally designed to fix serious bugs like this one or even macOS zero days that are even more dangerous. Hackers often prey on users that haven’t updated their devices, so by installing the latest updates as soon as they become available you’re less likely to fall victim to an attack.

Although Apple has its own built-in antivirus software in the form of XProtect, you may also want to install one of the best Mac antivirus software solutions for additional protection. If you want to protect your iPhone and iPad too, both Intego Mac Internet Security X9 and Intego Mac Premium Bundle X9 are the only Mac antivirus apps that can scan them for malware when connected to your computer via USB.

We may hear more from Apple about this macOS bug now it’s been patched and the company’s customers have had plenty of time to update their devices with the latest security updates.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.