• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Stellantis probes data breach linked to third-party provider

 | 

FBI alerts public to spoofed IC3 site used in fraud schemes

 | 

EU agency ENISA says ransomware attack behind airport disruptions

 | 

Researchers expose MalTerminal, an LLM-enabled malware pioneer

 | 

Beware: GitHub repos distributing Atomic Infostealer on macOS

 | 

ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 63

 | 

Security Affairs newsletter Round 542 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

A cyberattack on Collins Aerospace disrupted operations at major European airports

 | 

Fortra addressed a maximum severity flaw in GoAnywhere MFT software

 | 

UK police arrested two teen Scattered Spider members linked to the 2024 attack on Transport for London

 | 

ShadowLeak: Radware Uncovers Zero-Click Attack on ChatGPT

 | 

SonicWall warns customers to reset credentials after MySonicWall backups were exposed

 | 

CVE-2025-10585 is the sixth actively exploited Chrome zero-day patched by Google in 2025

 | 

Jaguar Land Rover will extend its production halt into a third week following a cyberattack

 | 

China-linked APT41 targets government, think tanks, and academics tied to US-China trade and policy

 | 

Microsoft and Cloudflare teamed up to dismantle the RaccoonO365 phishing service

 | 

DoJ resentenced former BreachForums admin to three years in prison

 | 

Apple backports fix for actively exploited CVE-2025-43300

 | 

New supply chain attack hits npm registry, compromising 40+ packages

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • CVE-2024-44243 macOS flaw allows persistent malware installation

CVE-2024-44243 macOS flaw allows persistent malware installation

Pierluigi Paganini January 15, 2025

Microsoft disclosed details of a vulnerability in Apple macOS that could have allowed an attacker to bypass the OS’s System Integrity Protection (SIP).

Microsoft disclosed details of a now-patched macOS flaw, tracked as CVE-2024-44243 (CVSS score: 5.5), that allows attackers with “root” access to bypass System Integrity Protection (SIP).

SIP in macOS safeguards the system by blocking the execution of unauthorized code. It allows App Store apps and notarized apps while blocking others by default.

Bypassing SIP enables attackers to install rootkits, create persistent malware, bypass TCC protections, and expand the system’s vulnerability to further exploits.

“An app may be able to modify protected parts of the file system.” reads the advisory published by the IT giant. “Description: “A configuration issue was addressed with additional restrictions.”

Apple addressed the issue in December with the release of macOS Sequoia 15.2.

The vulnerability was reported by Mickey Jin (@patch1t) and Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft.

“Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.” reads the advisory published by Microsoft.

Microsoft experts pointed out that SIP bypasses often target processes with special entitlements, which grant unique capabilities and are part of a process’s digital signature, making them hard to forge. Private entitlements, often prefixed with “com.apple.private,” are reserved for system-critical functions and are mostly undocumented by Apple. Monitoring anomalous behavior in these processes is essential, as such entitlements can potentially bypass security mechanisms.

“Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms.” continues Microsoft.

Microsoft cited the following entitlements specific to SIP:

  • com.apple.rootless.install, which can bypass SIP file system checks for a process with this entitlement
  • com.apple.rootless.install.heritable, A SIP bypass occurs when a process and its child processes inherit the com.apple.rootless.install entitlement, overriding SIP’s file system restrictions.

The storagekitd daemon, responsible for disk state management via the Storage Kit private framework, is entitled with the com.apple.rootless.install.heritable entitlement.

storagekitd has many SIP bypassing capabilities, including the com.apple.rootless.install.heritable.

The researchers highlighted the storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges.

An attackers with root access can to add a custom file system bundle to /Library/Filesystems. This can override binaries like Disk Utility and enable SIP-protected actions, such as disk erasure, to execute malicious code.

“As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn.” concludes Microsoft. “However, we noticed certain operations (such as “disk repair”) are directly invoked under storagekitd. Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.”

In October 2024, Microsoft discovered another vulnerability, tracked as CVE-2024-44133 and code-named ‘HM Surf’, in Apple’s Transparency, Consent, and Control (TCC) framework in macOS.

Apple’s Transparency, Consent, and Control framework in macOS is designed to protect user privacy by managing how apps access sensitive data and system resources. It requires applications to request explicit user permission before they can access certain types of information or system features

Successful exploitation of the flaw could allow attackers to bypass privacy settings and access user data.

The “HM Surf” vulnerability removes TCC protection from Safari, allowing access to user data, including browsing history, camera, microphone, and location without consent.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, System Integrity Protection)


facebook linkedin twitter

Apple Hacking hacking news information security news IT Information Security macOS Pierluigi Paganini Security Affairs Security News SIP System Integrity Protection

you might also like

Pierluigi Paganini September 22, 2025
Stellantis probes data breach linked to third-party provider
Read more
Pierluigi Paganini September 22, 2025
FBI alerts public to spoofed IC3 site used in fraud schemes
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Stellantis probes data breach linked to third-party provider

    Data Breach / September 22, 2025

    FBI alerts public to spoofed IC3 site used in fraud schemes

    Cyber Crime / September 22, 2025

    EU agency ENISA says ransomware attack behind airport disruptions

    Security / September 22, 2025

    Researchers expose MalTerminal, an LLM-enabled malware pioneer

    Malware / September 22, 2025

    Beware: GitHub repos distributing Atomic Infostealer on macOS

    Malware / September 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT