Microsoft Reveals macOS Vulnerability CVE-2024-44243 Enabling Rootkit Installation

Microsoft has disclosed a critical security flaw in Apple macOS that could have allowed attackers with root access to bypass System Integrity Protection (SIP) and install malicious kernel drivers. The vulnerability, tracked as CVE-2024-44243 (CVSS score: 5.5), was patched in macOS Sequoia 15.2. Apple classified it as a “configuration issue” that could permit a malicious app to alter protected parts of the file system.

How CVE-2024-44243 Works

SIP, also known as rootless, is a macOS security feature designed to prevent unauthorized modifications to critical system components. It restricts access to directories like /System, /usr, /bin, /sbin, /var, and pre-installed applications, ensuring that only Apple-signed processes with special entitlements can modify them.

Microsoft’s Threat Intelligence team, led by Jonathan Bar Or, highlighted the risks associated with bypassing SIP. If successfully exploited, CVE-2024-44243 could allow attackers to install rootkits, create persistent malware, evade Transparency, Consent, and Control (TCC) protections, and widen the attack surface for further exploits.

Exploitation of Storage Kit Daemon

The vulnerability exploits the “com.apple.rootless.install.heritable” entitlement within the Storage Kit daemon (storagekitd). Attackers can abuse this entitlement to inject a file system bundle into /Library/Filesystems, replacing essential Disk Utility binaries. This allows them to execute arbitrary processes and bypass SIP protections.

By triggering disk repair or erase operations on the newly injected file system, an attacker can execute unauthorized actions without macOS detecting the tampering. This is particularly dangerous as it compromises system integrity and allows malware persistence.

Similar SIP Bypass Vulnerabilities

CVE-2024-44243 is the latest in a series of SIP bypass vulnerabilities found by Microsoft, the following:

• CVE-2021-30892 (Shrootless)
• CVE-2023-32369 (Migraine)

Additionally, Microsoft previously uncovered CVE-2024-44133 (HM Surf), a security flaw in Apple’s TCC framework, which could be used to access sensitive user data.

Security Implications and Prevention

Jaron Bradley, Director of Threat Labs at Jamf, emphasized that SIP remains a primary target for security researchers and attackers. Since Apple’s security mechanisms assume SIP cannot be bypassed, any exploit undermining it poses a severe risk.

If SIP is compromised, an attacker can:

• Disable security solutions
• Hide malicious files in protected system directories
• Bypass system prompts using social engineering techniques
• Gain deeper system access for persistent threats

How to Stay Protected

To safeguard against these vulnerabilities, macOS users should:

• Immediately update to macOS Sequoia 15.2 or later
• Avoid granting unnecessary root access to applications
• Use advanced endpoint security solutions
• Monitor system logs for suspicious activities

Enhance Your Cybersecurity with Snow Stag

At Snow Stag, we specialize in cybersecurity solutions, including vulnerability assessment, threat intelligence, and penetration testing. Our team has been recognized by top organizations like Google, Microsoft, and the US DoD for cybersecurity excellence. Secure your systems with our expert services today!