Even after recent patches, Apple's rootless feature can reportedly be bypassed
Researcher Stefan Esser has found flaws in various programs that can be exploited to bypass Apple's new System Integration Protection feature.
Apple's System Integrity Protection (SIP) feature, introduced into its OS X El Capitan operating system to restrict system changes at the root level, can be circumvented by simple code, according to an article in The Register today.
Even though Apple's most recent OS updates—El Capitan 10.11.4 and iOS 9.3—patched a non-memory corruption bug in its rootless code, there remain flaws in SIP-entitled programs that could result in the bypassing of SIP, The Register explained, citing researcher Stefan Esser from German security firm SektionEins.
For example, the article continued, Esser found a vulnerability in /sbin/fsck_cs, a program that is allowed to modify SIP-protected files, and is designed to verify and repair CoreStorage logical volume groups. The article noted that code small enough to fit in a tweet could exploit this flaw in order to “wreck a crucial OS X configuration file that not even root is normally allowed to touch.”