• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • CVE-2024-44243 macOS flaw allows persistent malware installation

CVE-2024-44243 macOS flaw allows persistent malware installation

Pierluigi Paganini January 15, 2025

Microsoft disclosed details of a vulnerability in Apple macOS that could have allowed an attacker to bypass the OS’s System Integrity Protection (SIP).

Microsoft disclosed details of a now-patched macOS flaw, tracked as CVE-2024-44243 (CVSS score: 5.5), that allows attackers with “root” access to bypass System Integrity Protection (SIP).

SIP in macOS safeguards the system by blocking the execution of unauthorized code. It allows App Store apps and notarized apps while blocking others by default.

Bypassing SIP enables attackers to install rootkits, create persistent malware, bypass TCC protections, and expand the system’s vulnerability to further exploits.

“An app may be able to modify protected parts of the file system.” reads the advisory published by the IT giant. “Description: “A configuration issue was addressed with additional restrictions.”

Apple addressed the issue in December with the release of macOS Sequoia 15.2.

The vulnerability was reported by Mickey Jin (@patch1t) and Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft.

“Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.” reads the advisory published by Microsoft.

Microsoft experts pointed out that SIP bypasses often target processes with special entitlements, which grant unique capabilities and are part of a process’s digital signature, making them hard to forge. Private entitlements, often prefixed with “com.apple.private,” are reserved for system-critical functions and are mostly undocumented by Apple. Monitoring anomalous behavior in these processes is essential, as such entitlements can potentially bypass security mechanisms.

“Our team has identified the criticality in monitoring anomalous behavior by those specially entitled processes, as in many cases special entitlements could be used for bypassing security mechanisms.” continues Microsoft.

Microsoft cited the following entitlements specific to SIP:

  • com.apple.rootless.install, which can bypass SIP file system checks for a process with this entitlement
  • com.apple.rootless.install.heritable, A SIP bypass occurs when a process and its child processes inherit the com.apple.rootless.install entitlement, overriding SIP’s file system restrictions.

The storagekitd daemon, responsible for disk state management via the Storage Kit private framework, is entitled with the com.apple.rootless.install.heritable entitlement.

storagekitd has many SIP bypassing capabilities, including the com.apple.rootless.install.heritable.

The researchers highlighted the storagekitd’s ability to invoke arbitrary processes without proper validation or dropping privileges.

An attackers with root access can to add a custom file system bundle to /Library/Filesystems. This can override binaries like Disk Utility and enable SIP-protected actions, such as disk erasure, to execute malicious code.

“As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn.” concludes Microsoft. “However, we noticed certain operations (such as “disk repair”) are directly invoked under storagekitd. Since an attacker that can run as root can drop a new file system bundle to /Library/Filesystems, they can later trigger storagekitd to spawn custom binaries, hence bypassing SIP.”

In October 2024, Microsoft discovered another vulnerability, tracked as CVE-2024-44133 and code-named ‘HM Surf’, in Apple’s Transparency, Consent, and Control (TCC) framework in macOS.

Apple’s Transparency, Consent, and Control framework in macOS is designed to protect user privacy by managing how apps access sensitive data and system resources. It requires applications to request explicit user permission before they can access certain types of information or system features

Successful exploitation of the flaw could allow attackers to bypass privacy settings and access user data.

The “HM Surf” vulnerability removes TCC protection from Safari, allowing access to user data, including browsing history, camera, microphone, and location without consent.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, System Integrity Protection)


facebook linkedin twitter

Apple Hacking hacking news information security news IT Information Security macOS Pierluigi Paganini Security Affairs Security News SIP System Integrity Protection

you might also like

Pierluigi Paganini July 23, 2025
U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 23, 2025
Sophos fixed two critical Sophos Firewall vulnerabilities
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

    Hacking / July 23, 2025

    Sophos fixed two critical Sophos Firewall vulnerabilities

    Security / July 23, 2025

    French Authorities confirm XSS.is admin arrested in Ukraine

    Cyber Crime / July 23, 2025

    Microsoft linked attacks on SharePoint flaws to China-nexus actors

    APT / July 23, 2025

    Cisco confirms active exploitation of ISE and ISE-PIC flaws

    Hacking / July 22, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT