Microsoft has identified a new macOS vulnerability. It was called Migraine, and it can really add headaches to users — but only to those who avoid system updates.
According to a report published on May 30, Migraine allows attackers with root rights to bypass System Integrity Protection (SIP) and perform arbitrary actions on the device, including installing malware and receiving personal data from the computer.
SIP is a security technology that restricts the actions of users with root privileges. It prohibits actions that could lead to a violation of the integrity of the system. To do this, the suspicious process is transferred to the sandbox, which closes the possibility of overwriting files and directories.SIP bypass is usually impossible on a running system: it requires restarting the computer and switching to system recovery mode. However, experts from Microsoft discovered a vulnerability in the built-in Migration Assistant utility, from which the name Migraine came.
Interaction with the "Migration Assistant" requires direct access to the computer, but the researchers managed to interfere with the function and remotely start the migration without logging out of the account (without which the utility usually does not work). Next, we configured the recovery of a backup copy from Time Machine — in which a malicious payload was prepared with the ability to bypass SIP. So the virus gets to the computer without the possibility of removal or detection, and the delivery process was automated via AppleScript.
Microsoft informed Apple about the discovery in advance, and in the updates of May 18, macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7, this vulnerability has already been closed. To protect yourself, it is enough to make sure that you are using the current version of the system.