Patch/Configuration Management, Vulnerability Management

Even after recent patches, Apple’s rootless feature can reportedly be bypassed

Apple's System Integrity Protection (SIP) feature, introduced into its OS X El Capitan operating system to restrict system changes at the root level, can be circumvented by simple code, according to an article in The Register today.

Even though Apple's most recent OS updates—El Capitan 10.11.4 and iOS 9.3—patched a non-memory corruption bug in its rootless code, there remain flaws in SIP-entitled programs that could result in the bypassing of SIP, The Register explained, citing researcher Stefan Esser from German security firm SektionEins.

For example, the article continued, Esser found a vulnerability in /sbin/fsck_cs, a program that is allowed to modify SIP-protected files, and is designed to verify and repair CoreStorage logical volume groups. The article noted that code small enough to fit in a tweet could exploit this flaw in order to “wreck a crucial OS X configuration file that not even root is normally allowed to touch.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.