Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

Apple OS X Zero Day Vulnerability Can Bypass System Integrity Protection

By SentinelOne -

System Integrity

Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature. It was reported to Apple and patches will be available soon. This zero day vulnerability is present in all versions of Apple’s OS X operating system. SentinelOne’s lead OS X security expert, Pedro Vilaça, is presenting the full findings on this vulnerability today at SysCan360 2016 in Singapore.

The Vulnerability

This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits. SIP is a new feature, which is designed to prevent potentially malicious software from modifying protected files and folders: essentially to protect the system from anyone who has root access, authorized or not.

The same exploit allows someone to escalate privileges and also to bypass system integrity. In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency.

To exploit this vulnerability, an attacker must first compromise the target system. This could be accomplished via a spearphishing attack, or by exploiting the user’s browser, for example.

It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes. This kind of exploit could typically be used in highly targeted or state sponsored attacks.

Difficult to Detect

This vulnerability not only reveals a major security flaw in OS X, but also provides further evidence that exploits can be extremely stealthy, and at times, virtually impossible to detect. The nature of this particular exploit enables it to evade defenses by utilizing very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss.

A copy of Pedro’s presentation can be found here:  Pedro’s SysCan360 2016 Presentation.

To learn how intelligent automation can close the vulnerability gap between threat detection and response, download our white paper, Real-Time, Unified Endpoint Protection: A New Era in Incident Response.



What's New


90 Days: A CISO’s Journey to Impact

We have partnered with some of the most successful CISOs to create a blueprint for success


SentinelOne H1 2018 Enterprise Risk Index

Our research team closely monitors all SentinelOne endpoints for insights

Live Demo

Endpoint Protection Platform Free Demo

Interested in seeing us in action? Request a free demo and we will follow up soon