Introduction
Cybersecurity professionals are strongly advised to update their systems with the latest macOS patch to address a critical vulnerability identified as CVE-2024-44243. This vulnerability, discovered by the Microsoft Threat Intelligence team and security researcher Mickey Jin [8], poses significant risks to macOS systems by exploiting the System Integrity Protection (SIP) mechanism. The flaw allows local attackers with root privileges to bypass SIP protections [6], potentially leading to severe security breaches.
Description
Cyber defenders are urged to update their systems with the latest macOS patch addressing the critical vulnerability tracked as CVE-2024-44243 [7]. Discovered in late 2024 by the Microsoft Threat Intelligence team and security researcher Mickey Jin, this medium-severity flaw (CVSS score: 5.5) affects the System Integrity Protection (SIP) mechanism in macOS [2]. The vulnerability exploits the Storage Kit daemon (storagekitd) [8], which manages disk operations [1] [2] [3] [8], by leveraging the com.apple.rootless.install.heritable entitlement to bypass SIP protections [2]. This allows local attackers with root privileges to invoke arbitrary processes without proper validation, enabling them to load third-party kernel extensions and install persistent malware, such as rootkits [1] [6], thereby modifying protected areas of the file system [2], including /Library/Filesystems [2].
Identified in the December 11, 2024 security update for macOS Sequoia 15.2, CVE-2024-44243 poses a substantial risk as it can be exploited through the Migration Assistant tool, allowing adversaries to install “undeletable” malware without requiring physical access to the device. This compromises system integrity and evades Apple’s Transparency [2], Consent [2] [4], and Control (TCC) framework designed to protect user data [2]. The critical issue arises from the Storage Kit daemon’s ability to invoke child processes without proper validation, expanding the attack surface for additional exploits and making detection by traditional security measures more challenging [2].
Experts recommend that [5] [7], in addition to applying the patch promptly [7], organizations should employ proactive monitoring techniques to track anomalous behavior in processes with special entitlements, particularly those related to disk management. Monitoring for unusual activity and privileged user behavior is essential [7], as is restricting the use of third-party kernel extensions [9], including those from Tuxera [8], Paragon [3] [8], EaseUS [3] [8], and iBoysoft [3] [8], which have been identified as vulnerable.
To enhance security against this vulnerability [9], it is crucial to ensure that macOS systems are regularly updated with the latest security patches [9]. Implementing endpoint detection tools [5] [9], such as Microsoft Defender for Endpoint [2], to manage unsigned kernel extensions and adhering to Apple’s security guidelines are vital steps in safeguarding sensitive data and maintaining system integrity [9]. Security experts emphasize the necessity of keeping systems updated and using advanced security tools to monitor kernel-level activities for signs of compromise [9].
Recent attacks [7], such as the macOS infostealer malware “Banshee,” have highlighted vulnerabilities in Apple’s defenses [7], underscoring the need for regular integrity checks and adherence to security protocols to mitigate risks [7]. The ongoing stream of OS vulnerabilities indicates that relying solely on endpoint-based security solutions may be a risky approach [7], as local attackers can exploit these weaknesses to bypass OS integrity protections [7]. While there have been no reported instances of exploitation in the wild [6], the potential for severe consequences remains [6], making prompt action essential.
Conclusion
The CVE-2024-44243 vulnerability in macOS underscores the critical need for timely updates and robust security measures. By applying the latest patches and employing proactive monitoring and detection tools, organizations can mitigate the risks associated with this flaw. As the landscape of cybersecurity threats continues to evolve, maintaining vigilance and adhering to best practices are essential to safeguarding systems and protecting sensitive data from potential exploits.
References
[1] https://cybermaterial.com/microsoft-finds-sip-bypass-flaw-in-macos/
[2] https://news.hackreports.com/microsoft-uncovers-macos-vulnerability-cve-2024-44243-allowing-rootkit-installation/
[3] https://www.tomsguide.com/computing/online-security/critical-macos-flaw-puts-your-data-and-cameras-at-risk-update-right-now
[4] https://www.channele2e.com/brief/new-bug-can-bypass-macos-sip-security-and-attack-kernel
[5] https://siliconangle.com/2025/01/14/microsoft-reveals-macos-vulnerability-allowed-system-integrity-protection-bypass/
[6] https://www.techradar.com/pro/security/microsoft-reveals-more-on-a-potentially-major-apple-macos-security-flaw
[7] https://www.darkreading.com/vulnerabilities-threats/apple-bug-root-protections-bypass-physical-access
[8] https://gbhackers.com/hackers-to-bypass-apples-system-integrity-protection/
[9] https://www.archyde.com/microsoft-uncovers-macos-vulnerability-bypassing-system-integrity-protection/
