Apple OS X Zero Day Vulnerability Can Bypass System Integrity Protection

System Integrity

Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature. It was reported to Apple and patches will be available soon. This zero day vulnerability is present in all versions of Apple’s OS X operating system. SentinelOne’s lead OS X security expert, Pedro Vilaça, is presenting the full findings on this vulnerability today at SysCan360 2016 in Singapore.

The Vulnerability

This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits. SIP is a new feature, which is designed to prevent potentially malicious software from modifying protected files and folders: essentially to protect the system from anyone who has root access, authorized or not.

The same exploit allows someone to escalate privileges and also to bypass system integrity. In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency.

To exploit this vulnerability, an attacker must first compromise the target system. This could be accomplished via a spearphishing attack, or by exploiting the user’s browser, for example.

It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes. This kind of exploit could typically be used in highly targeted or state sponsored attacks.

Difficult to Detect

This vulnerability not only reveals a major security flaw in OS X, but also provides further evidence that exploits can be extremely stealthy, and at times, virtually impossible to detect. The nature of this particular exploit enables it to evade defenses by utilizing very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss.

A copy of Pedro’s presentation can be found here:  Pedro’s SysCan360 2016 Presentation.

To learn how intelligent automation can close the vulnerability gap between threat detection and response, download our white paper, Real-Time, Unified Endpoint Protection: A New Era in Incident Response.