{"id":99897,"date":"2021-10-28T09:00:13","date_gmt":"2021-10-28T16:00:13","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99897"},"modified":"2025-06-23T01:53:21","modified_gmt":"2025-06-23T08:53:21","slug":"microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/","title":{"rendered":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Microsoft has discovered a vulnerability that could allow an attacker to bypass <a href=\"https:\/\/developer.apple.com\/documentation\/security\/disabling_and_enabling_system_integrity_protection\">System Integrity Protection<\/a> (SIP) in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges to root an affected device. We shared these findings with Apple through <a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/cvd?rtc=1\">Coordinated Vulnerability Disclosure<\/a> (CVD) via <a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/msvr\">Microsoft Security Vulnerability Research<\/a> (MSVR). A fix for this vulnerability, now identified as <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-30892\">CVE-2021-30892<\/a>, was included in the <a href=\"https:\/\/support.apple.com\/en-us\/HT212872\">security updates<\/a> released by Apple on October 26, 2021.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SIP is a security technology in macOS that restricts a root user from performing operations that may compromise system integrity. We discovered the vulnerability while assessing processes entitled to bypass SIP protections. We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP\u2019s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This OS-level vulnerability and others that will inevitably be uncovered add to the growing number of possible attack vectors for attackers to exploit. As networks become increasingly heterogeneous, the number of threats that attempt to compromise non-Windows devices also increases. <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/microsoft-defender-endpoint-mac?view=o365-worldwide\">Microsoft Defender for Endpoint on Mac<\/a> enables organizations to gain visibility and detect threats on macOS devices. Such visibility rolls up to <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a>, which provides organizations with a \u201csingle pane of glass\u201d where they can detect, manage, respond, and remediate vulnerabilities and threats across different platforms.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this blog post, we will share some information about SIP, examine the common types of SIP bypasses previously disclosed, and present the unique ones we discovered.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"sip-overview\">SIP overview<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">First introduced by Apple in macOS Yosemite, SIP\u2014also known as \u201crootless\u201d\u2014essentially locks down the system from root by leveraging the Apple sandbox to protect the entire platform. Internally, it is controlled by the following NVRAM variables:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>csr-active-config:<\/strong> bitmask of enabled protections<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>csr-data:<\/strong> stores netboot configuration<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">These variables cannot be legitimately modified in non-recovery mode. Therefore, the only legitimate way to disable SIP is by booting into recovery mode and turning SIP off. Turning SIP on or off is done using the built-in <em>csrutil<\/em> tool, which can also display the SIP status:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"859\" height=\"189\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig1-scrrenshot-of-csrutil-showing-SIP-status.png\" alt=\"Screenshot of csrutil showing the SIP status\" class=\"wp-image-99912\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig1-scrrenshot-of-csrutil-showing-SIP-status.png 859w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig1-scrrenshot-of-csrutil-showing-SIP-status-300x66.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig1-scrrenshot-of-csrutil-showing-SIP-status-768x169.png 768w\" sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 1: csrutil showing the SIP status. Note that SIP cannot be disabled from non-recovery OS.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The <em>csr-active-config<\/em> bitmask NVRAM variable describes the different protections SIP offers. While not an exhaustive list, below are a few honorable mentions; the rest can be freely examined in the <a href=\"https:\/\/opensource.apple.com\/source\/xnu\/xnu-4570.71.2\/bsd\/sys\/csr.h\">XNU source code<\/a>:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>csr-active-config NVRAM bit<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td><strong>CSR_ALLOW_UNTRUSTED_KEXTS<\/strong><\/td><td>Controls the loading of untrusted kernel extensions<\/td><\/tr><tr><td><strong>CSR_ALLOW_UNRESTRICTED_FS<\/strong><\/td><td>Controls write access to restricted filesystem locations<\/td><\/tr><tr><td><strong>CSR_ALLOW_TASK_FOR_PID<\/strong><\/td><td>Controls whether to allow getting a task port for Apple processes (that is, invoke the <em>task_for_pid<\/em> API)<\/td><\/tr><tr><td><strong>CSR_ALLOW_UNRESTRICTED_NVRAM<\/strong><\/td><td>Controls unrestricted NVRAM access<\/td><\/tr><tr><td><strong>CSR_ALLOW_KERNEL_DEBUGGER<\/strong><\/td><td>Controls whether to allow kernel debugging<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Compromising any of these protections could enable attackers to bypass SIP completely. Some scenarios include the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Loading untrusted kernel extensions could compromise the kernel and allow the said extensions to perform operations without any checks<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Bypassing filesystem checks could allow a kernel extension to enforce SIP to itself completely<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Freely modifying the NVRAM could control SIP itself<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"filesystem-restrictions\">Filesystem restrictions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Over the years, Apple has hardened SIP against attacks by improving restrictions. One of the most notable SIP restrictions is the filesystem restriction. This is especially important for red teamers and malicious actors, as the amount of damage one can do to a device\u2019s critical components is directly based on their ability to write unrestricted data to disk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The file <em>\/System\/Library\/Sandbox\/rootless.conf<\/em> generally controls which files are SIP-protected. While the said file itself is also SIP-protected, one can run it using <em>ls<\/em> with the <em>-O<\/em> flag to list which files are similarly protected. SIP-protected files have the \u201crestricted\u201d marker.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"319\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig2-Listing-usr-with-o-option.png\" alt=\"Screenshot of \/usr with the -O option\" class=\"wp-image-99915\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig2-Listing-usr-with-o-option.png 936w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig2-Listing-usr-with-o-option-300x102.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig2-Listing-usr-with-o-option-768x262.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 2: Listing \/usr with the -O option. \/usr\/local is not SIP protected, but \/usr\/sbin is.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Files with the extended attribute <em>com.apple.rootless<\/em> are likewise SIP-protected. Of course, there\u2019s no way to add that extended attribute to a file legitimately. Otherwise, malware could use SIP for its own protection. The filesystem restrictions are a great way of restricting attackers. For instance, many of the <em>\/System<\/em> directory and its subdirectories are SIP-protected.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1430\" height=\"96\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon.png\" alt=\"Screenshot of SIP blocking a malicious LaunchDaemon registration\" class=\"wp-image-99918\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon.png 1430w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon-300x20.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon-1024x69.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon-768x52.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig3-Screenshot-of-SIP-blocking-LaunchDaemon-1420x96.png 1420w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 3: SIP blocking a malicious LaunchDaemon registration that is frequently used for persistence.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"rootless-entitlements\">Rootless entitlements<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Since the filesystem restrictions are so powerful, Apple must consider a few exceptional cases. For example, system updates require unrestricted access to SIP-protected directories. Therefore, Apple introduced a particular set of entitlements that bypass SIP checks by design. These entitlements are fine-tuned to specific SIP checks, and only Apple can assign them. So naturally, Apple only assigns these entitlements to its processes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In our research, we focused on two powerful entitlements, which have also been targets of vulnerability hunters:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Entitlement<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td><strong>com.apple.rootless.install<\/strong><\/td><td>Completely bypasses SIP filesystem checks<\/td><\/tr><tr><td><strong>com.apple.rootless.install.heritable<\/strong><\/td><td>Inherits <em>com.apple.rootless.install<\/em> to child processes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1430\" height=\"263\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig4-Screenshot-of-entitled-process.png\" alt=\"Screenshot of &quot;com.apple.rootless.install&quot; entitled process\" class=\"wp-image-99921\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig4-Screenshot-of-entitled-process.png 1430w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig4-Screenshot-of-entitled-process-300x55.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig4-Screenshot-of-entitled-process-1024x188.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig4-Screenshot-of-entitled-process-768x141.png 768w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 4: An example of a &#8220;com.apple.rootless.install&#8221; entitled process<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-quick-rundown-of-notable-sip-bypasses\">A quick rundown of notable SIP bypasses<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before our discovery, there had been several interesting SIP bypass vulnerabilities already reported in the past. In this section, we categorize these vulnerabilities into several classes and provide an example for each. Note that this is not a complete list; for instance, we excluded vulnerabilities involving the kernel itself because SIP only protects userland.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"abusing-dynamic-libraries\">Abusing dynamic libraries<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Previously, entitled processes could still load arbitrary dynamic libraries. One such example was <a href=\"https:\/\/objective-see.com\/blog\/blog_0x14.html\">presented in 2016<\/a>, where <em>libBaseIA.dylib<\/em>, which is local to the app, was used by an entitled binary and could be infected with malicious code. At that point, the SIP bypass could be completely implemented in the malicious dylib.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mounting\">Mounting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In a security update for OSX 10.11.2, Apple fixed a <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-9771\">security bug<\/a> that was also abused by the MacDefender malware. The said vulnerability could allow a malicious .dmg file to be mounted (using hdiutil) over a SIP-protected folder, therefore completely bypassing SIP filesystem restrictions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"abusing-entitlements\">Abusing entitlements<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Entitled processes have also been sources of security bypasses. One notable example is a bypass that <a href=\"https:\/\/www.theregister.com\/2016\/03\/30\/apple_os_x_rootless\/\">used the entitled <em>fsck_cs<\/em> utility<\/a>. The bypass exploited the fact that <em>fsck_cs<\/em> would follow symbolic links and attempt to fix the filesystem presented to it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Therefore, an attacker could create a symbolic link pointing from <em>\/dev\/diskX<\/em> to <em>\/System\/Library\/Extensions\/AppleKextExcludeList.kext\/Contents\/Info.plist<\/em> and invoke fsck_cs on the former. As the <em>Info.plist<\/em> file gets corrupted, the operating system could no longer control kernel extension exclusions, therefore bypassing SIP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-shrootless-vulnerability\">The \u2018Shrootless\u2019 vulnerability<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While assessing macOS processes entitled to bypass SIP protections, we came across the daemon <em>system_installd<\/em>, which has the powerful <em>com.apple.rootless.install.heritable<\/em> entitlement. With this entitlement, any child process of <em>system_installd<\/em> would be able to bypass SIP filesystem restrictions altogether.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1430\" height=\"709\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig5-screenshot-of-system-installed-components.png\" alt=\"Screenshot of system_installd entitlements\" class=\"wp-image-99924\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig5-screenshot-of-system-installed-components.png 1430w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig5-screenshot-of-system-installed-components-300x149.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig5-screenshot-of-system-installed-components-1024x508.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig5-screenshot-of-system-installed-components-768x381.png 768w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 5: system_installd entitlements. Note the &#8220;com.apple.rootless.install.heritable&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since Microsoft Defender for Endpoint has a post-breach component, we decided to examine all the child processes of <em>system_installd<\/em>. To our surprise, we saw a few cases that could allow attackers to abuse its functionality and bypass SIP.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For instance, when installing an Apple-signed package (.pkg file), the said package invokes <em>system_installd<\/em>, which then takes charge of installing the former. If the package contains any post-install scripts, <em>system_installd<\/em> runs them by invoking a default shell, which is <a href=\"https:\/\/zsh.sourceforge.io\/\"><em>zsh<\/em><\/a> on macOS. Interestingly, when <em>zsh<\/em> starts, it looks for the file <em>\/etc\/zshenv<\/em>, and\u2014if found\u2014runs commands from that file automatically, even in non-interactive mode. Therefore, for attackers to perform arbitrary operations on the device, a fully reliable path they could take would be to create a malicious <em>\/etc\/zshenv<\/em> file and then wait for <em>system_installd<\/em> to invoke <em>zsh<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To create a fully functional proof-of-concept (POC) exploit, we implemented the following algorithm:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Download an Apple-signed package (using <em>wget<\/em>) that is known to have a post-install script<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Plant a malicious <em>\/etc\/zshenv<\/em> that would check for its parent process; if it\u2019s <em>system_installd<\/em>, then it would write to restricted locations<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Invoke the <em>installer<\/em> utility to install the package<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">As seen in Figure 6 below, the POC exploit was able to override the kernel extension exclusion list:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1430\" height=\"782\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig6-POC-exploit.png\" alt=\"Screenshot of proof of concept exploit for CVE-2021-30892\" class=\"wp-image-99927\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig6-POC-exploit.png 1430w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig6-POC-exploit-300x164.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig6-POC-exploit-1024x560.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Fig6-POC-exploit-768x420.png 768w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center wp-block-paragraph\"><em>Figure 6: Our POC exploit overriding the kernel extension exclusion list with arbitrary data<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"zshenv-as-an-attack-technique\"><em>zshenv<\/em> as an attack technique<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">During our research, we also found out that <em>zshenv<\/em> could also be used as a general attack technique besides being used for a SIP bypass. We discovered that <em>\/etc\/zshenv<\/em> has an equivalent for each user profile under <em>~\/.zshenv<\/em>, which has the same function and behavior but doesn\u2019t require root permissions to write to.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Generally, <em>zshenv<\/em> could be used as the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>A persistence mechanism. <\/strong>It could simply wait for <em>zsh<\/em> to start (either globally under <em>\/etc<\/em> or per user).<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><strong>An elevation of privilege mechanism.<\/strong> The home directory doesn\u2019t change when an admin user elevates to root using <em>sudo -s<\/em> or <em>sudo &lt;command><\/em>. Thus, placing a <em>~\/.zshenv<\/em> file as the admin and waiting for the admin to use <em>sudo<\/em> later would trigger the <em>~\/.zshenv<\/em> file, hence elevating to root.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">We shared our findings to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hardening-device-security-through-vulnerability-management-and-behavioral-monitoring\">Hardening device security through vulnerability management and behavioral monitoring<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Security technology like SIP in macOS devices serves both as the device\u2019s built-in baseline protection and the last line of defense against malware and other cybersecurity threats. Unfortunately, malicious actors continue to find innovative ways of breaching these barriers for these very same reasons. They can take complete control of the device and run any files or processes they wish without getting detected by traditional security solutions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Our research on the CVE-2021-30892 vulnerability exemplifies this. It highlights the need for organizations to have a security solution like <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/threat-protection\/endpoint-defender\">Microsoft Defender for Endpoint<\/a> that empowers them to quickly discover and remediate vulnerabilities through <a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/next-gen-threat-and-vuln-mgt?view=o365-worldwide\">threat and vulnerability management<\/a>. This allows defenders to detect vulnerabilities and misconfigurations on devices in real time and prioritize which need to be addressed immediately based on the threat landscape, business context, and other factors.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition, Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on a device, such as overwriting arbitrary SIP-protected files that our POC exploit is capable of. In the example provided in the previous section, it is anomalous for <em>zsh<\/em> to override the kernel extension exclusion list. As such, Defender for Endpoint detects it. Extending the concept, Defender for Endpoint has similar detections for sensitive file access, including system launch daemons, the <em>rootless.conf<\/em> file, and many more.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, this research underscores the importance of collaboration among security researchers, software vendors, and the larger security community. As cross-platform threats continue to increase, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing help enrich our protection technologies that secure users\u2019 computing experience regardless of the platform or device they\u2019re using.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/endpoint-defender\">Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution across all platforms<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><em>Jonathan Bar Or<\/em><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Microsoft 365 Defender Research Team<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26.<\/p>\n","protected":false},"author":68,"featured_media":99987,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[],"footnotes":""},"post_tag":[3898,3785],"threat-intelligence":[3739],"content-type":[3663],"job-role":[],"product":[3690,3694],"topic":[3687],"coauthors":[3380],"class_list":["post-99897","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-elevation-of-privilege","tag-macos","threat-intelligence-vulnerabilities-and-exploits","content-type-research","product-microsoft-defender","product-microsoft-defender-for-endpoint","topic-threat-intelligence","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-disable","review-flag-disabled","review-flag-machi-1694638272-641"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-28T16:00:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-23T08:53:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-SIP-macOS-vulnerability-POC-exploit.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1430\" \/>\n\t<meta property=\"og:image:height\" content=\"782\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-SIP-macOS-vulnerability-POC-exploit.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection\",\"datePublished\":\"2021-10-28T16:00:13+00:00\",\"dateModified\":\"2025-06-23T08:53:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\"},\"wordCount\":1898,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg\",\"keywords\":[\"Elevation of privilege\",\"macOS\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\",\"name\":\"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg\",\"datePublished\":\"2021-10-28T16:00:13+00:00\",\"dateModified\":\"2025-06-23T08:53:21+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg\",\"width\":1200,\"height\":800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98\",\"name\":\"Microsoft Security Threat Intelligence - Editor\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security Threat Intelligence - Editor\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog","og_description":"Microsoft found a vulnerability (CVE-2021-30892) that could allow an attacker to bypass System Integrity Protection (SIP) in macOS. We shared our findings with Apple via coordinated vulnerability disclosure, and a fix was released October 26.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/","og_site_name":"Microsoft Security Blog","article_published_time":"2021-10-28T16:00:13+00:00","article_modified_time":"2025-06-23T08:53:21+00:00","og_image":[{"width":1430,"height":782,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-SIP-macOS-vulnerability-POC-exploit.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-SIP-macOS-vulnerability-POC-exploit.png","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection","datePublished":"2021-10-28T16:00:13+00:00","dateModified":"2025-06-23T08:53:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/"},"wordCount":1898,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg","keywords":["Elevation of privilege","macOS"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/","name":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg","datePublished":"2021-10-28T16:00:13+00:00","dateModified":"2025-06-23T08:53:21+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2021\/10\/Shrootless-macOS-SIP-vulnerability-2.jpg","width":1200,"height":800},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/28\/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/060b835777058efc81d6828a64820f98","name":"Microsoft Security Threat Intelligence - Editor","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g52243f56b7f8688616d4ca12dc0148e2","url":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/52c6f8d687a54d49c87e04326b24f4ed410c7a6535e21df3cca90d21039c9089?s=96&d=microsoft&r=g","caption":"Microsoft Security Threat Intelligence - Editor"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eravena\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/99897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=99897"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/99897\/revisions"}],"predecessor-version":[{"id":139855,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/99897\/revisions\/139855"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/99987"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=99897"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=99897"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=99897"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=99897"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=99897"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=99897"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=99897"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=99897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}