14 DAY TRIAL // Pedro Vilaça, lead OS X security researcher at security firm SentinelOne has discovered a zero-day issue in all current Mac OS X versions, the company announced today.
The researcher describes the bug as a non-memory corruption issue which allows attackers to execute remote code on any targeted machine, and later escalate their system privileges to the root user.
While this is bad enough since it grants root access on almost all recent Mac versions, as Mr. Vilaça discovered, on Mac OS X El Capitan, this bug can allow an attacker to bypass a recent security feature introduced by Apple, the System Integrity Protection (SIP) mechanism.
Attackers can bypass SIP and then use it to protect their malware
Apple designed SIP to prevent any users, even root ones, from modifying key system files. Vilaça's bug can go around this protection, alter system files, and allow malware to get persistence on infected devices.
If users ever discover the infection, removing it would be nigh impossible since SIP would work against them, preventing from reaching or altering the malware-laced system file.
By default, SIP protects the following folders: /System, /usr, /bin, /sbin, along with apps that are pre-installed with OS X.
Vulnerability is logic-based and easy to exploit
According to Vilaça, the vulnerability is easy to exploit, and simple spear-phishing emails or browser-based attacks should be more than enough to compromise systems.
"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," SentinelOne explains. "This kind of exploit could typically be used in highly targeted or state sponsored attacks."
Apple fixed the issue (CVE-2016-1757) in OS X El Capitan version 10.11.4, released on March 21.
Mr. Vilaça will be presenting more details about this zero-day at the SysCan360 2016 security conference, today in Singapore. You can view his conference presentation slides here.