430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The Apple System Integrity Protection feature bypassed

Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP). Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP). The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain […]

The Apple System Integrity Protection feature bypassed

Security researchers from SentinelOne have discovered a security vulnerability affecting the Apple System Integrity Protection (SIP).

Security researcher Pedro Vilaça from SentinelOne has discovered a security vulnerability ( CVE-2016-1757) affecting the Apple System Integrity Protection (SIP).

The SIP is a security mechanism implemented by Apple in the OS X El Capitan operating system for the protection of certain system processes, files and folders from being modified or tampered with by other processes, even when they are executed by a user with root privileges.

“System Integrity Protection is a security technology in OS X El Capitan that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.” states a blog post published by Apple.

“System Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.”

System Integrity Protection SIP bypass OS X El Capitan

According to the experts at SentinelOne the flaw allows circumventing the SIP technology. This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.

The exploit is very stable because the SIP feature can be bypassed triggering the flaw without compromising the kernel.

“This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.”

The attackers can exploit the flaw for various purposes, for example, the vulnerability could be exploited in a multi-stage attack in which crooks have already compromised the target system and use the flaw to gain persistence on compromised devices.

In order to exploit the vulnerability, an attacker must first figure out a way to compromise the targeted system – a task that can be accomplished via a spear-phishing attack or by exploiting a flaw in the victim’s browser, the expert said.

“The vulnerability is very easy to exploit if an attacker is able to run code on the system. The exploit is extremely reliable (100%). It could be part of a bug chain that exploits a browser like Safari or Chrome,” Vilaça explained to SecurityWeek.

SentinelOne confirmed that it isn’t aware of any attack in the wild that exploited the flaw to date.

Such kind of attacks are very insidious and difficult to detect, there is the concrete risk that nation-state hackers can leverage on this exploit in their attacks. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.

The flaw affects every version of Apple’s OS X desktop operating system, Apple has begun to issue security patches.

“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple’s Security Bulletin, meaning they are left vulnerable to this specific bug.”

Vilaça will provide details about the SIP bypass technique today at the SysCan360 2016 security conference.

Pierluigi Paganini

Security Affairs –  (System Integrity Protection, SIP, hacking)