SentinelOne Finds Apple OS X Zero Day Bug

Written by

SentinelOne has unearthed a major flaw in all versions of Apple’s OS X operating system which allows for local privilege escalation and bypass of the tech giant’s newest security feature System Integrity Protection (SIP).

Pedro Vilaça, SentinelOne’s lead OS X security expert, will be presenting the full findings from this at SysCan360 2016 in Singapore today.

The zero day vulnerability is a non-memory corruption bug present in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass the key security feature of SIP, which is designed to stop potentially malicious software from modifying protected files and folders, protecting systems from anyone who has root access, authorized or not.

In order to exploit the vulnerability, an attacker must first compromise the target system, which they could do with a spear phishing attack or by exploiting the user’s browser, for example. SentinelOne says the vulnerability is logic-based, extremely reliable and stable, and does not crash machines or processes – the kind of exploit that could be used in highly targeted or state sponsored attacks.

Although SentinelOne has reported the issue to Apple and patches will be available soon, the nature of this particular bug means it can evade defenses by using very dependable and stable techniques that traditional detection mechanisms looking for more obvious warning signs would miss, providing more evidence that exploits such as this can be very stealthy and difficult to detect.

In a statement to Infosecurity Piers Wilson, head of product management at Huntsman Security, divulged on this a little further.

“Zero day flaws are incredibly difficult to pick-up on, as they take advantage of loopholes that the software-maker and end-user are unaware of,” he said. “They are, by definition, unpatched. Traditional security solutions like anti-virus and intrusion detection systems are signature-based and are only looking out for symptoms of known malicious threats. Since this type of exploit appears to be legitimate from the perspective of these security systems, it doesn’t get flagged as a threat and is therefore allowed through.”

Reports of Apple’s vulnerabilities and attacks seem to be making the headlines quite a bit as of late – just two weeks ago, for example, a piece of ransomware dubbed ‘KeRanger’ specifically targeted OS X and became the first to be fully functional on the platform. However, as Thomas Reed, Director of Mac Offerings at Malwarebytes would argue, this has more to do with the popularity of Apple devices rather than being a suggestion their security is not up to scratch.

Reed explained that although attacks on Macs are becoming more attractive to cyber-criminals, malware attacks rarely pay off on them.

“Case in point, the ‘KeRanger’ ransomware,” he told Infosecurity. “It was killed by Apple within less than 48 hours after its first release, being added to the XProtect anti-malware signatures in OS X and having its codesigning certificate revoked. As a result, OS X would not allow it to open after Apple blocked it, and it affected very few people. The effort of getting it into distribution ended up being mostly wasted.

“This isn't a particularly unique situation. All recent Mac malware has been killed off by Apple very shortly after its discovery. The wider the distribution, the more likely malware is to be killed quickly.”

Reed admitted that as Mac researchers continue to develop new concepts and products it is inevitable that vulnerabilities will follow, but he does not believe malware will be particularly successful in exploiting these.

“I think it's unlikely that we'll see much malware taking advantage of those least, not widespread malware. Things like state-sponsored malware used in targeted attacks against individuals are a completely different story,” he added.

What’s hot on Infosecurity Magazine?