“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” said SentinelOne in a blog post announcing the discovery.
New York, meet the world’s tech scene
5,000 Tech leaders are coming to NYC this November to learn and do business. This is your chance to join them.
SIP was a feature first introduced in El Capitan. It prevents users from changing system files through a “rootless” system that keeps even administrator accounts from accessing specific files without first disabling SIP.
SentinelOne’s slides detail how a hacker could attack SIP directly, foregoing traditional exploits — such as memory corruption — to access a system all while operating with impunity due to the difficulty of spotting the exploit once it’s implemented.
Once the hacker bypasses SIP, they have near total control of any device running OS X.
Worse, bad actors could then use SIP as a a shield to prevent the system from repairing itself, a move SentinelOne security researcher calls a “protection racket.”
Apple has been notified of the issue and a patch is on the way.