A security analyst from SentinelOne unveiled a critical zero-day vulnerability that affects all versions of Apple's OS X and some iOS versions.
By using the vulnerability, hackers can get full access of the affected device, making it easy to steal sensitive data and bypass the company's protection feature.
When Apple rolled out OS X El Capitan, a new security protection feature was installed in the OS X kernel. Dubbed System Integrity Protection (SIP), the system was aimed at preventing malicious or bad software from operating modifications in the protected files and folders from your Mac computer.
SIP restricts the root account of OS X computers, thus limiting what a root user can change on the parts that are protected. This should significantly reduce the chance for code hijacks or privilege escalation issues.
The security measures, albeit strong, were not unbeatable.
Pedro Vilaça from SentinelOne reported back in January about a critical vulnerability in both the iOS and OS X codes, which permits local privilege escalation as well as a surprisingly easy bypassing of the SIP, sans kernel exploit.
Codenamed CVE-2016-1757, the zero-day vulnerability is a Non-Memory Corruption bug. This means that it makes it easy for hackers to do a number of things, such as executing remote code (Remote Code Execution), running custom-made code on your device and even perform sandbox escapes.
"The same exploit allows someone to escalate privileges and also to bypass system integrity," Vilaça notes.
In an ironic twist, this allows the precise OS X security feature that was crafted to keep malware at bay to backfire, so hackers can land malware persistency. Apple also has a layer of malware protection that is embedded in the Mac OS, but earlier reports show that it has its own weaknesses.
Previous reports indicated that Apple's built-in malware protection is vulnerable to malware exploits.
The default settings enable SIP to keep the following folders safe: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.
The researcher points out that it is easy to exploit the zero-day vulnerability by making use of simple spear-phishing or browser-based attacks. What is more, the weakness in SIP makes the infiltration both stable and reliable, keeping the targeted machine running.
Apple finally fixed the vulnerability in updates for El Capitan version 10.11.4 and in iOS 9.3, which recently went live. Previous variants of the Mac and iPhone operating systems remained unpatched, leaving them exposed to the day-zero bug.
The SentinelOne researcher was not the only one who pointed his finger at the increased security risk.
Google's Project Zero also talked about the technical details of the vulnerability. Should you want to find out more, check out the official page of GPZ.
Vilaça affirmed that he did not know whether or not the exploit is being used rampantly, but acknowledged that the bug could be found in more than one OS X variant.
"This kind of exploit could typically be used in highly targeted or state sponsored attacks," he concludes.