A zero-day flaw in Apple’s OS X may sound like something rather impossible. Unfortunately, researchers have indeed discovered a zero-day vulnerability that enables attackers to exploit key protection feature in the believed-to-be invincible operating system.
As revealed by SentinelOne researcher Pedro Vilaça during the SysCan360 2016 security conference in Singapore, the flaw exists in both OS X and iOS. Not only does it exist in both systems but it also affects all of their versions.
A Close Look at Apple’s Zero-Day
The vulnerability allows local privilege escalation. It can even bypass Apple’s latest protection feature – System Integrity Protection, or SIP. According to the researcher, the vulnerability enables an attacker to deceive the security feature without a kernel-based exploit. The flaw is described as a non-memory corruption bug which allows the execution of arbitrary code on any binary.
More on Arbitrary Code Execution
In a conversation with ZDnet, Mr Vilaça said that:
The exploit can be used to control any entitlement given to Apple to a certain binary. Because Apple needs to update the system there are binaries authorized to make modifications so those binaries can be exploited to bypass SIP.
The same exploit can also be used to load unsigned kernel code, and then fully disable SIP inside the kernel. In order for the attack to be initiated, a spear phishing email would be enough, or a browser vulnerability.
More on Spear Phishing
Moreover, he believes that the bug is 100 % reliable and that it could be just one part of a bigger bug chain that targets browsers like Google Chrome and Safari.
Because the vulnerability is highly reliable and will not cause any visible effects like crashing machines or processes, it is very likely to be used in targeted or state-sponsored attacks. In a nutshell, this is what the exploit leads to:
- Arbitrary code execution;
- Remote code execution;
- Sandbox escapes;
- Escalating privileges to bypass SIP;
- Reside in the system.
What Should Apple Users Do to Stay Protected?
The vulnerability was disclosed in the beginning of 2015 but was reported to Apple in 2016. It has been patched in the following updates:
- El Capitan 10.11.4
- iOS 9.3
If you’re running earlier versions of both iOS and OS X, you’re strongly advised to update immediately.