The Microsoft 365 Defender Research Team recently reported a new macOS vulnerability to Apple. The vulnerability received CERT CVE-2021-30892 and also goes by “Shrootless.” The vulnerability could allow root access due to the fact that the system_installd daemon had the com.apple.rootless.install.inheritable entitlement. If an attacker were able to get around the System Integrity Protection (SIP) security blockades, it would allow them to install a rootkit, modify system files, and place malware on the device. A proof of concept (POC) that overrode the kernel extension exclusion list was used to prove the executability of the flaw. Microsoft principal security researcher Jonathan Bar Or stated, “We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process.” On October 26th, Apple would address the flaw by releasing a security update.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased