Microsoft recently detected a security exploit that could allow attackers to bypass a core security feature on computers running on macOS. Dubbed “Migraine”, the vulnerability can be used to sidestep Apple’s System Integrity Protection (SIP) on macOS — a feature that protects parts of the operating system related to system integrity by restricting access to certain files — and install malware on a victim’s computer. Microsoft warned Apple about the security flaw and the Cupertino company has patched the flaw with its latest security update.
According to details shared by Microsoft in a blog post, the “Migraine” security exploit relies on Migration Assistant, a tool provided by Apple to allow users to transfer files from one Mac to another or from a Windows PC to a Mac. The Migration Assistant app from Apple has unrestricted root access that allows it to perform its data transfer function, and security researchers at Microsoft leveraged the special ‘entitlement’ given to the tool, for the exploit.
After modifying the Migration Assistant to run without logging off a user, Microsoft was able to run the tool in debug mode to bypass a signature check. The company used a 1GB Time Machine backup with malicious software, using a script to cause Migration Assistant to import the backup and infect the host system. The entire process bypassed the System Integrity Protection feature that was first introduced on macOS in 2015.
It is worth noting that the Migration Assistant is typically available during user setup, which means that an attacker would need to have local access to a machine. Microsoft says that the arbitrary system bypasses like Migraine could create files that are protected by SIP, the same mechanism that it bypasses, making deletion very difficult. Attackers can also run arbitrary kernel code and tamper with the system to enable rootkits. Microsoft adds that these exploits can also be used to gain access to private data as well as computer accessories and devices.
Users who have updated their computers to macOS 13.4 after it was rolled out on May 18 should be safe from the exploit, which has been patched by Apple. Microsoft disclosed the security flaw to Apple, allowing the firm to roll out a fix for the issue. Meanwhile, the company has thanked Microsoft’s Jonathan Bar Or, Anurag Bohra, and Michael Pearse for identifying the exploit.