Microsoft Discovers MacOS Bug That Can bypass SIP

The Microsoft 365 Defender Research Team recently discovered a new macOS vulnerability nicknamed “Shrootless” and tracked it as CVE-2021-30892, a vulnerability that can misuse privilege inheritance in macOS ‘System Integrity Protection (SIP) thereby giving room for the execution of arbitrary code with root privileges.

Reportedly, the vulnerability has already been patched in the three supported versions of macOS (Monterey 12.0.1, Catalina with Security Updates 2021-007, and Big Sur 11.6.1) although there are indications that older versions of OS X running SIP including OS X 10.11 and later may still be vulnerable.

When examining how Shrootless works, the first thing to understand is how SIP works. SIP as we have it adds kernel-level that prevent certain files on the disk and certain processes in memory from being changed, even with root privileges.

The bug then takes advantage of the fact that the kernel can modify protected locations as needed, even if root privileges are no longer sufficient to modify important system files.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web