Microsoft has disclosed a now-patched macOS flaw tracked as CVE-2024-44243 with a CVSS score of 5.5. If exploited, the attacker is able to gain root access to bypass macOS’ System Integrity Protection (SIP). SIP protects the system by blocking any unauthorised code from running, only allowing the App Store or other known apps to run while blocking others.
Bypassing SIP allows intruders to install rootkits and RATs (Remote Access Trojans), create persistent malware and backdoors, and exploit any additional vulnerabilities they might find. According to Apple’s advisory on the issue, an app exploiting this flaw may also be able to modify protected parts of the file system. Thankfully, the vulnerability was patched in December 2024 with macOS Sequoia 15.2.
In typical Apple fashion, the tech giant did not release any information on how the bug was being exploited, and whether or not the bug has been exploited in the past. It simply stated that “a configuration issue was addressed with additional restrictions” and called it day.

However, Microsoft was more open in its description of the vulnerability. Redmond explains that “if SIP is bypassed, the entire operating system can no longer be considered reliable,” in addition to showing how the vulnerability could bypass SIP on outdated macOS systems.
Experts state that SIP bypass attacks often target processes with special entitlements that are part of a process’s digital signature and can grant unique abilities to the master process. Private entitlements like this are often prefixed with “com.apple.private” and reserved for system-critical functions. Since they’re primarily undocumented by Apple, monitoring these processes for shady behaviour can help catch such attacks.
It pointed out two entitlements, namely com.apple.rootless.install and com.apple.rootless.install.heritable and can bypass SIP specifically. The former is used by the storagekitd daemon responsible for disk state management and uses the Storage Kit private framework. This gives storeagekitd SIP bypassing capabilities.
In the News: Nepal-based scam calls mimic TRAI alerts; threaten digital arrests