This article is more than 1 year old

Researchers find hole in SIP, Apple’s newest protection feature

System Integrity Protection pwned

Security researchers have discovered a vulnerability that creates a means for hackers to circumvent Apple’s newest protection feature, System Integrity Protection (SIP).

SIP is designed to prevent potentially malicious software from modifying protected files and folders. The technology is designed to protect the system from anyone who has root access, authorised or not. SIP is a key security feature of the latest version of OS X, El Capitan, as explained by Apple here.

Researchers at SentinelOne discovered a flaw that allows for local privilege escalation and bypass of System Integrity Protection, effectively circumventing the technology.

This vulnerability is a non-memory corruption bug that exists in every version of OS X and allows users to execute arbitrary code on any binary. It can bypass a key security feature of the latest version of OS X, El Capitan, the System Integrity Protection (SIP) without kernel exploits.

A successful privilege escalation attack that circumvented SIP would bypass system integrity, thereby opening the door to a key hacker objective of giving malware persistence on compromised devices.

To exploit this vulnerability, an attacker must first compromise the target system. This could be accomplished via a spear-phishing attack, or by exploiting the user’s browser, for example.

So the vulnerability only comes into play as part of a multi-part attack, a combination punch, rather than as a stand-alone exploit.

“The exploit is a local privilege escalation type of exploit, meaning that you need an initial vector to run the exploit,” Pedro Vilaça, the researcher at SentinelOne who detected the flaw told El Reg. “This could be a phishing attack with some malware attachment, something like a fake Flash update, or remote code execution via a browser or any other application. So it's definitely part of a multi-stage attack, which has the advantage of taking care of privilege escalation and SIP bypass in a single exploit,” he added.


Exploits based on the vulnerability could be fodder for either highly targeted or state-sponsored attacks, according to SentinelOne. Vilaça said he wasn’t aware of any malicious exploitation of the vulnerability to date while adding the caveat that attacks would be difficult to detect.

The bug exists in every version of Apple’s OS X desktop operating system. SentinelOne reported to the flaw to Apple, which has begun to roll out patches.

“The bug was patched with El Capitan 10.11.4 and iOS 9.3,” according to Vilaça. “Other versions do not appear to have a patch for this specific bug from Apple's Security Bulletin, meaning they are left vulnerable to this specific bug.”

Vilaça is due to unveil more details about the vulnerability at SysCan360 2016 security conference in Singapore later on today. ®

More about


Send us news

Other stories you might like