Microsoft finds lethal macOS 'Migraine' exploit that was bypassing Apple SIP

(Image credit: Future)

What you need to know

  • Microsoft identified a new vulnerability campaign dubbed 'Migraine' affecting System Integrity Protection for Mac users.
  • Attackers leveraged it to bypass the SIP and gain access to user devices, exposing them to malicious software and rootkits.
  • Working with Microsoft, Apple has released a software update to fix the issue. 

In May, Microsoft discovered a new vulnerability affecting Mac users dubbed "Migraine," and informed Apple about the matter. Upon further investigation, the company discovered that hackers were leveraging it to bypass the System Integrity Protection (SIP) and gain access to these devices automatically, thus allowing them to "perform arbitrary operations on a device."

For those not conversant with System Integrity Protection, it's a security feature that essentially protects from malicious attacks. The feature first shipped to Mac devices via macOS Yosemite's debut and works by restricting root user accounts and limiting the actions the user can perform on protected parts of macOS.

With this in mind, bypassing the security feature could potentially cause a lot of damage, as attackers could leverage this opportunity to spread malware on your device. For instance, they could create persistent malware or even install rootkits. Microsoft further detailed that attackers leveraged Apple's Migration Assistant for their exploits.

Unlike most features in Mac devices, the tool doesn't have restricted root access, so it would be impossible to transfer files. Through this exploit, attackers can bypass the SIP feature on MacOS. Essentially, the Migration Assistant app is available during user setup, and an attacker must first gain local access to the device.

The "Migraine" security vulnerability creates a situation where attackers could easily create files protected with the System Integrity Protection technology and then use it to bypass the same security measure; this made it extremely difficult to detect and thus easier to bypass.

Luckily, Apple has since resolved the issue (CVE-2023-32369) via a software update (macOS 13.4 ) that shipped to users on May 18. Therefore, you should be safe if you've updated your device to run on the latest update.

Kevin Okemwa

Kevin Okemwa is a seasoned tech journalist based in Nairobi, Kenya with lots of experience covering the latest trends and developments in the industry at Windows Central. With a passion for innovation and a keen eye for detail, he has written for leading publications such as OnMSFT, MakeUseOf, and Windows Report, providing insightful analysis and breaking news on everything revolving around the Microsoft ecosystem. You'll also catch him occasionally contributing at iMore about Apple and AI. While AFK and not busy following the ever-emerging trends in tech, you can find him exploring the world or listening to music.