pixel_dreams - Fotolia
This means that most of the Apple Macs, iPhones and iPads used by businesses are vulnerable to attacks exploiting the flaw until their operating systems have been updated.
SentinelOne reported the vulnerability in January 2016 to Apple, which removed the flaw in the latest versions of its operating systems. It is not known if any patches for earlier versions are planned.
The vulnerability enabled attackers to escalate their privileges and bypass System Integrity Protection (SIP), Apple’s newest protection feature.
SentinelOne security researcher Pedro Vilaça discovered the flaw and presented his findings at the SysCan360 2016 security conference in Singapore on 24 March 2016.
Read more about zero-day exploits
- Google has come under fire for publishing a proof-of-concept attack exploiting a flaw in Windows 8.1 before Microsoft released a security update.
- Exploits of latest Adobe Flash Player zero-day vulnerability highlight threat to the enterprise of web-based exploit kits, such as Angler.
- The hacking black market is outbidding legitimate IT companies for disclosure information on zero-day exploits, according to a report from thinktank Rand.
According to Vilaça, the vulnerability is a non-memory corruption bug that could allow attackers to execute arbitrary code on any binary.
He found attackers could use the flaw to bypass the SIP security feature introduced in OS X El Capitan (version 10.11) without kernel exploits.
SIP is designed to prevent potentially malicious software from modifying protected files and folders, thus protecting the system from anyone who has root access, authorised or not.
The same exploit allows attackers to escalate privileges, which means a security feature designed to protect users from malware can be used to achieve malware persistency.
To exploit this vulnerability, an attacker needs to compromise the target system through a phishing attack or browser exploit.
According to Vilaça, it is a logic-based vulnerability that is extremely reliable and stable, and does not crash machines or processes, making it ideal for targeted or state-sponsored attacks.
Near-impossible to detect
SentinelOne said the vulnerability provides further evidence that exploits can be extremely stealthy, and sometimes virtually impossible to detect.
The nature of this particular exploit, the security company said, enables it to evade defences by utilising very reliable and stable techniques that traditional detection mechanisms, looking for more obvious warning signs, would miss.
Piers Wilson, head of product management, Huntsman Security, said zero-day flaws such as this are incredibly difficult to pick up as they take advantage of loopholes that the software maker and end-user are unaware of.
“They are, by definition, unpatched. Traditional security solutions like anti-virus and intrusion detection systems are signature-based and are looking out only for symptoms of known malicious threats,” he said.
Since this type of exploit appears to be legitimate to security systems, Wilson said it does not get flagged as a threat and is therefore allowed through.
“The first sign an organisation will often get that they’ve been breached will be when strange activity, data flows or system behaviour starts taking place; or worse still, when stolen data appears in the CEO’s inbox with a ransom demand to prevent it being leaked online,” he said.
According to Wilson, it is vital that organisations have the ability to monitor their systems for any suspicious activity in real-time, so that security teams can hunt down unauthorised intruders before they can access anything sensitive or do any real damage.