Microsoft Discovers macOS System Vulnerability 'Migraine'

A new vulnerability in macOS, dubbed "Migraine," has been discovered by the Microsoft Threat Intelligence team.

Microsoft's security team, which posted a detailed blog about the flaw this week, said if Migraine is successfully exploited, an attacker can bypass System Integrity Protection (SIP) and perform malicious operations on a device. SIP is the built-in MacOS protection that protects the system from operations that could affect stability and security.

"Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, and expand the attack surface for additional techniques and exploits," wrote Microsoft.

By targeting system processes signed by Apple and possessing the entitlement, the researchers discovered two additional processes that could be manipulated by attackers to execute arbitrary code without SIP checks.

In the blog post, Microsoft demonstrated how, through the use of the Apple-signed system processes, a potential attacker could bypass the built-in security features to push through malware. The company did note that in order for a successful attack to be pulled off, an attacker would need physical access to the system.

After initially discovering the flaw, Microsoft notified Apple, which then released a security update on May 18.

This is not the first time Microsoft security researchers have found a flaw that could bypass SIP in MacOS. In 2021 the company alerted Apple of the "Shrootless" vulnerability, which acts in the same manner to bypass built-in baseline protections.

Microsoft said that while tech like SIP in macOS is strong defense against malware attacks, it is not 100 percent guaranteed to keep a system protected, as is evident by this month's Migraine and 2021's Shrootless vulnerabilities. Per Microsoft:

It [Migraine] highlights the need for organizations to have a security solution like Microsoft Defender for Endpoint that empowers them to quickly discover and remediate vulnerabilities through threat and vulnerability management. This allows defenders to detect vulnerabilities and misconfigurations on devices in real time and prioritize which need to be addressed immediately based on the threat landscape, business context, and other factors.

Microsoft also reiterated the importance of collaboration across security teams and vendors that allows for quick response and timely security patching "that secure users’ computing experience regardless of the platform or device they’re using."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube