Even after patches, Apple's rootless feature can reportedly be bypassed
Apple's System Integrity Protection (SIP) feature, introduced into its OS X El Capitan operating system to restrict system changes at the root level, can be circumvented by simple code, according to an article in The Register.
Even though Apple's most recent OS updates—El Capitan 10.11.4 and iOS 9.3—patched a non-memory corruption bug in its rootless code, there remain flaws in SIP-entitled programmes that could result in the bypassing of SIP, The Register explained, citing researcher Stefan Esser from German security firm SektionEins.
For example, the article continued, Esser found a vulnerability in /sbin/fsck_cs, a programme that is allowed to modify SIP-protected files, and is designed to verify and repair CoreStorage logical volume groups. The article noted that code small enough to fit in a tweet could exploit this flaw in order to “wreck a crucial OS X configuration file that not even root is normally allowed to touch.”