Security Unlocked 12.22.21
Ep 54 | 12.22.21

I am Shroot-less


Nic Fillingham: Hello, and welcome to "Security Unlocked," a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft's Security, Engineering and Operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dives into the newest threat intel, research and data science. 

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security. 

Natalia Godyla: And now, let's unlock the pod. 

Natalia Godyla: Hello, everyone. Welcome to another episode of "Security Unlocked." And happy holidays to everyone. I hope everyone is getting some much-deserved time off, time with the friends and family to really enjoy the season, no matter what holiday you're celebrating. Nic, what about yourself? What are you up to this season? 

Nic Fillingham: Well, Natalia, we normally have a big feast, as a lot of people do, and we often eat turkey. That's often one of the meats that we enjoy at this particular holiday feast. And for this particular holiday, there might be a homegrown turkey that finds its way onto the plate, and one in particular, one turkey in particular, who has just smashed into a million pieces the window to my basement office that is, like, 3 feet from my face. 

Nic Fillingham: I was recording a podcast, and all of a sudden there's an almighty crash. And I look up, and a turkey has run at full speed and full force into the window and just smashed it into a million pieces and then, you know, just sort of shaken it off and walked away. And that's - I don't know how many hundreds of dollars that's going to cost to repair. And the turkey doesn't care. So to borrow a Klingon phrase, revenge is a dish best served with cranberry sauce. Is that how it goes? 

Natalia Godyla: That sounds right. And, I mean, that's exactly in the holiday spirit, right? It's... 

Nic Fillingham: Absolutely. 

Natalia Godyla: ...Not about warmth and... 

Nic Fillingham: No. 

Natalia Godyla: ...Family time. 

Nic Fillingham: Retribution. 

Natalia Godyla: Yeah, 100%. 

Nic Fillingham: Petty retribution against semi-sentient animals who don't have any idea what they're doing and are really quite innocent. I sound like a monster. 

Natalia Godyla: (Laughter) In your defense, this isn't the first time they have breached the house or tried to breach the house. 

Nic Fillingham: No. Actually, all the animals on our little farm have been pen testing the Fillingham house for years now. I've got some vulnerabilities in my house's defense that need to be shored up. 

Natalia Godyla: Well, maybe you can invite Jonathan Bar Or to help out. And he is the guest for today. He'll be a returning guest to the "Security Unlocked" podcast. And he's a principal security researcher here at Microsoft, and he'll be joining us to talk about a new macOS vulnerability that he identified, Shrootless, that could bypass System Integrity Protection. What were the big takeaways from this conversation? 

Nic Fillingham: Two big takeaways here. Microsoft is invested in finding vulnerabilities and then working with the platform owners for products and technologies that aren't Microsoft. And I think that's sort of an interesting thing for people to sort of realize - that there is a team, or there are teams of people out there going and doing that. And that's because we live in this heterogeneous environment. And real-world customer environments have multiple devices and multiple endpoints for multiple manufacturers and multiple platforms. And so it's imperative that we don't just shore up or we don't just sort of defend the Microsoft platforms. 

Nic Fillingham: And the second thing is that the relationship that JBO and team had with Apple as part of disclosing to them this vulnerability, working with them on the fix, getting that deployed and then ultimately going public with the blog post - just a fantastic relationship and just sort of great to hear that when it comes to security, you know, big players, like Apple, like Microsoft, have sort of a really good working relationship for the benefit of the industry at large. That was sort of a great takeaway. I sort of enjoyed hearing JBO's perspective on how he worked with Apple on that. 

Natalia Godyla: And I think with that, on with the pod? 

Nic Fillingham: On with the pod. 

Nic Fillingham: Welcome back to the "Security Unlocked" podcast, Jonathan Bar Or, JBO. Thanks for joining us again. Welcome back to the podcast. 

Jonathan Bar Or: Thank you. It's great to be back. 

Nic Fillingham: Keen listeners and subscribers of the "Security Unlocked" podcast will hopefully remember you from Episode 37, where we talked about some vulnerabilities that you discovered in a router. And we talked about that process. We talked about that vulnerability discovery. We talked about the entire process. You're back. 

Nic Fillingham: And the point I was going to make, which I didn't, about that interesting conversation is it was not a Microsoft product. It was not Microsoft software. It was another company that is not Microsoft or owned by Microsoft that was making a physical router and that had their own software completely independent of Microsoft. 

Nic Fillingham: And so that was a fascinating conversation to learn more about your role, to learn more about how Microsoft does spend time and sort of invest in not just identifying vulnerabilities in products outside of the Microsoft family, but then also working with the manufacturers to get those vulnerabilities addressed. 

Nic Fillingham: And that's why you're back today. We're here to talk about a blog post that was published on October 28, 2021, titled "Microsoft Finds New macOS Vulnerability, Shrootless, That Could Bypass System Integrity Protection," or SIP. Great blog. Thanks again for coming back. Let's recap for the audience who you are, JBO. What do you do? And then we can maybe jump into the headline here. 

Jonathan Bar Or: Yeah, sure. Gladly. So as you said, my name is Jonathan. I work for Microsoft as a security researcher. And specifically, now I'm - let's see if I get the title correctly. I'm the Microsoft Defender for Endpoint research architect for cross-plat. If you remove all the - most of the words and just focus on cross-plat, that's basically what I do. So cross-plat would be cross-platform, so everything that specifically doesn't run Windows is kind of under my responsibility. 

Nic Fillingham: So only a very small subset of potential pieces of technology there. It's not large. 

Jonathan Bar Or: it's quite a lot. It's quite a lot. It's massive. And in many cases, it requires very different approaches. Technically speaking, let's say, macOS is very different from Linux, and Linux is very different from Windows. We're also doing Android and iOS. So it's a big party with lots of interesting guests, I would say. 

Jonathan Bar Or: It requires, you know, a lot of dedication and smart people around you. I would say that besides the fact that it's - you know, there is a variety of technologies there, they also have a very good number of machines that run these things, right? Even Microsoft, we have tons internally. We have tons of Mac users. We have many Linux servers. You have people bringing their Android to work. Well, everyone's working remotely, so it makes things a bit more complicated. But you do get the point. 

Jonathan Bar Or: So, yeah, that's my responsibility. And this is why, you know, I started looking at the security aspects of certain operating systems, including macOS, in this case. 

Natalia Godyla: So with the massive ecosystem that your role targets, how do you decide what to work on? So for instance, finding this vulnerability - what drove you to dig in more and figure out what was happening? Was it part of a larger exercise, maybe, around Mac products? 

Jonathan Bar Or: Yeah. So that's a - I don't know if it's a funny story. Yeah, let's say it's a funny story. I... 

Nic Fillingham: Bar is very high on this podcast for funny stories, Jonathan. 

Jonathan Bar Or: Yeah, it's not a funny story. 


Jonathan Bar Or: I would say the first three or four words in my title were Microsoft Defender for Endpoint. So this is my responsibility. And one of the things that we're doing is investing a lot in cross-platform protection. And we do recognize that people that don't use Windows - let's say Mac users, Linux users, Android and so on - it's a huge market, as you said, and a lot of them do not run any security products on their endpoints. 

Jonathan Bar Or: And we do recognize that there are threats out there, right? We've seen Android malware. MacOS has its fair share of malware. iOS has, you know, notorious NSO Pegasus payloads and so on, right? So we do recognize that we need to invest in these areas. 

Jonathan Bar Or: And the funny part of the unfunny story is that I am not a macOS expert at all. In fact, I was - I'm kind of a beginner, I would say. So what I ended up doing is learning macOS, let's say, every time reading about this certain security aspect of the operating system and then trying to see or validate, if you want to call it like that, how far my knowledge extends, right? 

Jonathan Bar Or: So when I learned about TCC - that's a different macOS security mechanism - I started tweaking with that. And when I learned about Gatekeeper - that's a different macOS security technology - I invested in that and tried - also tried bypassing it, of course. And when I learned about SIP, System Integrity Protection, or rootless - that's the other name for it - I invested in that. And this is how I got basically to that vulnerability. 

Jonathan Bar Or: And, of course, we responsibly reached out to Apple, provided them with the proof-of-concept exploits. We didn't disclose it anywhere else, of course. We wanted to do it in a responsible manner and also provided them some of our opinions on how that should be solved, as well as validating that, indeed, it was resolved in a durable way after they released their fix to us kind of privately. 

Jonathan Bar Or: And this is a good opportunity to thank Apple publicly for, you know, being very professional and also collaborating with us quite a lot. 

Nic Fillingham: I just want to sort of put a point on this one which I just think is fascinating. So Microsoft Defender for Endpoint and the sort of Microsoft Defender family now expands well beyond the Windows ecosystem and Windows operating systems. Obviously, there's different flavors of the protection service for the various endpoints. As you mentioned, there's macOS, there's Linux, there's Android, there's IoT, et cetera, et cetera. 

Nic Fillingham: But it sounds like what your team does is go sort of way beyond just sort of building a product for a non-Windows operating system and actually is investing heavily in trying to actually just make those other operating systems harder and safer to - you know, safer to operate, harder to exploit. 

Nic Fillingham: Can you just give us a little bit more information? Like, how big is - is it just you and one other person? Is this a big enterprise? Like, how can we sort of wrap our head around the sort of the level of investment, maybe just in terms of, like, people that are thinking about non-Windows platforms and devices and trying to make them better and trying to find vulnerabilities to go get them addressed? 

Jonathan Bar Or: I would say that, first of all, by the way, Defender changed its name from Windows Defender to Microsoft Defender just because we went cross-plat - right? - because it's not Windows anymore. 

Nic Fillingham: Right. Did I say Windows Defender? I'm sorry. 

Jonathan Bar Or: Oh, no, no, no. You did. I just wanted to emphasize that you change the W, like, 180 degrees and you get an M. So Microsoft - MDE now. 

Nic Fillingham: That's true. 

Jonathan Bar Or: And then, yeah, I would say that the vulnerability research part is important because we know that other folks, like bad folks, outside are doing it as well. 

Jonathan Bar Or: I would say that it's kind of a minor part in the grand scheme of things. You have tons of folks working on cross-plat, you know, engineers that have to make sure that we have the capabilities, even, to protect against malware families or vulnerabilities. We have security researchers who are just mapping techniques that are used by malware authors. In many cases, malware authors will use vulnerabilities as well. I think there were quite a few in macOS this year specifically. 

Jonathan Bar Or: And a lot of what we do, and specifically what I do, is making sure that we get the right training to folks, as well as validating product truth. And to validate product truth, what we do once in a while is to run what we call a red team exercise, when we basically build an attack end to end - and some of them are, you know, pre-breach exploits, and some of them are post-breach techniques - and trying to validate what we do detect, what we don't detect, what we block, what we simply alert on and trying to get better. 

Jonathan Bar Or: So, for instance, it's very hard to do that, let's say, with a SIP bypass. But - I don't know - stealing cookies from browsers is something that we definitely invest in - not invest in the stealing itself, but rather in the - we invest in that, too, but rather the detecting or blocking cookie stealers on Linux, on Mac. And then not only do we validate that our, you know, our defenders actually block these things or detect them if it's - if we're not able to block at the time, but also, we kind of mutate to these attacks - right? - so to make sure that our detections are more durable. 

Natalia Godyla: Thank you for that. So briefly mentioned, maybe one question ago, what had actually happened. So you had found a vulnerability in the System Integrity Protection, or rootless, in macOS. I'd love to start digging into that. Let's start with what the heck System Integrity Protection is. Can you give us a little bit of an overview of what that security tool is, and then we can talk more deeply about the exploit? 

Jonathan Bar Or: Yeah, of course. So traditionally, in what we call POSIX systems, you have all sorts of users, and then you have the root user, which is - it's also called super user or a user that have - that has permissions to do whatever they want. 

Jonathan Bar Or: Apple recognized at some point that, just like in Windows, where you have a lot of malware that runs as administrator, in macOS, you also had many attackers and malware families that were also relying on running as root. And in many cases, what these things could do is to, let's say, modify system binaries or do all sorts of nasty things that would - in the best cases, actually would break the device. In worst scenarios, they would actually leave a backdoor there or do something that would stay there forever - right? - install rootkits or do these sorts of things, stealthy things. 

Jonathan Bar Or: And then what Apple decided to do is to come up with a technology of sandboxing the system itself by limiting that root user. So root is now no longer the one who has full control over the system. You have other mechanisms that prevent even root from doing certain things. And those mechanisms - part of them is SIP or rootless. 

Jonathan Bar Or: Specifically, what it does is to prevent overriding certain directories in the operating system. So you won't be able to modify these directories or these files under these directories in order to not leave backdoors that would basically serve the client, in this case, instead of the actual operating system. 

Jonathan Bar Or: And there are other things that SIP prevents you from doing, like loading kernel extensions and so on, but - or specific kernel extensions. And that's basically what SIP is. 

Nic Fillingham: Is there an equivalent or, you know, a similar sort of technology over on the Windows side of the house for folks listening to the podcast that are, you know, not super familiar with Mac or even sort of Linux, Unix, POSIX systems? I mean, there's a sandbox technology that's obviously built into Windows. The other two implementations of sandbox similar, or is it quite different? 

Jonathan Bar Or: It's quite different, I would say. There are sandboxing technologies on Windows, but they're completely different. 

Jonathan Bar Or: In terms of sandboxing, the administrator on Windows, which is what SIP does on macOS - I would say that there are several technologies that attack that problem from different angles. Honorable mentions would be protected processes, so even if you run as the administrator, you won't be able to examine their memory or stop them. 

Jonathan Bar Or: Of course, even as the administrator, there are certain things that you can't do, like loading unsigned kernel drivers, unless you are in a very specific mode that can only be entered through physical access to the device. And then there are other technologies that mostly rely on hypervisor on - specifically on Microsoft's hypervisor, which is called Hyper-V, that basically separates your machine to two or more different spaces. 

Natalia Godyla: So returning to SIP, Apple has also done some work in hardening SIP, as I understand it. So how has SIP also recently evolved? There's a particular part of the exploit that I think includes filesystem restrictions. 

Jonathan Bar Or: Yeah. As I mentioned, SIP prevents you from doing a lot of things - loading kernel drivers. Sometimes kernel drivers is one of them. Changing NVRAM variables is a different thing. And one of the most restrictive things is really changing certain files that are attributed to the operating system itself. And, of course, this is kind of problematic from an engineering point of view. 

Jonathan Bar Or: But the problem that Apple needs to override these things, let's say, in upgrades or other - mostly in upgrades, I would say. And then the question is how to do that 'cause if there is a mechanism, SIP, that prevents you from doing that, then it's Catch-22. 

Jonathan Bar Or: And the idea is that very specific processes that belong to Apple will be able to do that. And the way that it's done is that to every image or executable file on macOS, there are certain properties that you can basically attach to it. And one of these properties is called entitlements. And this is basically - says what kind of controls - what the process can or can't do and how it would behave in runtime. And all of these files with entitlements should be signed. And specifically, files with the entitlement that bypass the SIP are supposed to be signed by Apple, and they are. 

Jonathan Bar Or: So when the system - when, let's say, a process tries to override the file that belongs to the operating system and it is SIP-protected, the macOS itself will check if the color (ph), the color (ph) process is signed by Apple and, if it is, then whether it has the entitlement to do so. If it does, then it will be allowed. Otherwise, it will be blocked. And this is how SIP works under the hood. 

Jonathan Bar Or: And what I ended up doing is kind of piggyback riding on that entitlement system, if that makes sense. 

Natalia Godyla: So before we go ahead and talk about maybe some of the protections that people can think about against vulnerabilities like this, I'd love to talk about what happened next. So you said you went through a responsible process of submitting this vulnerability with Apple. Can you go into a little bit more detail about how that engagement looked like so people have that context and then, you know, what the fix was for this? Is this completely resolved? 

Jonathan Bar Or: Yeah. So luckily, in Microsoft, we have MSVR - Microsoft Vulnerability Research, I want to say. I really don't remember the abbreviation. 

Natalia Godyla: That's it. You got it. 

Jonathan Bar Or: And then these guys help us a lot disclosing vulnerabilities in a secure manner and in a responsible manner. 

Jonathan Bar Or: So I reached out to MSVR, told them, hey, you know what? We have a vulnerability. Let's report that to Apple. And Apple immediately responded. And not shortly after, I started talking to their own engineers and basically building - or thinking about the solution together. They did give us constant updates on when this thing is going to be resolved and also how. And I would say, again, that they did a pretty good job there. 

Jonathan Bar Or: I did mention in the beginning of our conversation that I examined their solution, and I did try to see if it's durable, so I did try to bypass it, and I couldn't. I will not say that it's impossible, but I will say that I wasn't able to do it. So from my perspective, this vulnerability is already taken care of and, basically, case closed. 

Jonathan Bar Or: The problem with SIP bypasses specifically and the implications - because you did want to talk about what users could be doing. The problem with these things is that once someone bypasses SIP, they're basically in a - have more - they basically have more privilege than you, than your root user. 

Jonathan Bar Or: And then this might be a problem because - we thought of a few hypothetical scenarios. One of them is adding a rootkit or a backdoor silently. And the other one, which is even more obvious - and this was really a security risk to our own product - is that let's say that someone bypasses SIP and puts their malicious files there. We, Microsoft Defender for Endpoint, actually detect that file, but we will not be able to kill it or delete the file because it's SIP-protected now. It's protected by a mechanism that's supposed to make sure that you don't delete files and whatnot. So this became kind of a problem for us. 

Jonathan Bar Or: So I would say that identifying these kind of vulnerabilities makes, really, macOS more secure 'cause, otherwise, again, you have a lot of implications that even we as a security product won't be able to handle. I hope that makes sense. 

Natalia Godyla: It does. It's really interesting that the attackers would potentially find a safe haven within a security tool to hide and protect themselves against other security tools, but scary as well. 

Nic Fillingham: I wonder if you could just give us a - you talked a little bit about the timeline. But I'd just love to, you know, better understand, from the moment that you sort of first started thinking about SIP and - or maybe - when did your Spidey sense first tingle? 

Natalia Godyla: (Laughter). 

Nic Fillingham: When did you disclose to Apple? And then how quickly was the vulnerability addressed and a fix deployed? And then I assume, you know, very soon after your blog post was published - well, are we talking - was this years, months, weeks, days? How do we sort of think about that? 

Jonathan Bar Or: I think I started - from the moment I started learning deeply, more deeply at least, about how SIP works and how it's enforced until the moment I discovered that vulnerability took, I think, three weeks, I would say. A lot of it was also in my spare time. I have some of it still. 

Nic Fillingham: You have spare time? 

Natalia Godyla: (Laughter). 

Jonathan Bar Or: Some of it. So, you know, during the evenings and stuff like that. 

Jonathan Bar Or: Once we disclosed to Apple, I did make sure that it works and they get their reliable exploit. Once we disclosed to Apple, they responded within a few days, I think. But then it took several months to fix the issue just because it's a logical bug, and they have to make sure that not only did they patch what's wrong, but also they have to make sure that they don't break anything else in the process. 

Jonathan Bar Or: So imagine NIE (ph) fix would be, hey, you know what? Let's never run zsh and... 

Nic Fillingham: Right. 

Jonathan Bar Or: That's the file that was used... 

Nic Fillingham: Problem fixed. 

Jonathan Bar Or: Yeah, then problem fixed, and then 200 other problems are... 

Nic Fillingham: Right. 

Jonathan Bar Or: ...Arise, right? So that's kind of a problem. 

Jonathan Bar Or: And also, we have to make sure that they do it in a durable way. And before publishing the blog post - and we shared the blog post draft with them as well, just to make them aware. And we also made sure to release the blog post only after making sure that not only did Apple fix the problem and deploy a solution, but also, we gave time to Mac users to actually get those updates. And, you know, these things take time, unfortunately. It's just the nature of things. So we really wanted to make sure that it's done responsibly and without putting users at risk. 

Jonathan Bar Or: But, you know, there is this chance that once Apple releases their fixes, someone might reverse-engineer their - basically, their updates and try to attack macOS users immediately. So time is really a critical component here. You can't release the blog post too early, and you can't release it too soon. 

Jonathan Bar Or: One thing that I will mention because you guys did ask about what users might do - on my own macOS, I do have Microsoft Defender for Endpoint. And I'm sorry for using the stage for a shameless promotion, but I will. I will say that just based on previous - because this is not the first SIP bypass that ever happened, the blue team in Microsoft Defender for Endpoint created a bunch of detections that would generically detect SIP bypasses. And they did detect me without even knowing that I do have a SIP bypass. 

Jonathan Bar Or: So I'm very proud of our product and would say that as time goes by, I think that more and more users will start understanding that, you know, there is some advantage to having an antivirus or security products on Macs, on Linux and so on. And here's the proof to that, of course. So I will say that installing these things is important. Making sure that you're fully patched is, of course, the obvious thing. Always, always get Apple's updates. 

Natalia Godyla: So I don't know if you'll be able to answer this, but what is next for you? Are you already working on next project? I'm assuming yes. 

Jonathan Bar Or: Yes, I'm always working. Although I have some free time, I'm always working. We do have a bunch of other research areas. Some of them are still on Mac. Some of them are - I will say that if you guys would have me, I will probably be talking about Android 'cause we have some juicy stuff there. And I don't know what's next. We'll see. 

Jonathan Bar Or: I mean, it's really up to what we get from the field and from the market. So if we get that our customers are telling us, hey - you know what? - we need protection for Android, we'll pursue that. If we get the feeling that folks are in need of some Linux or better Linux protection, then we will invest more there. 

Nic Fillingham: Give us a sneak peek, if you can, of the - tell me, like, what does that sort of stand-up team meeting, triage, brainstorm process look like where all of you security researchers working on cross-platform, as in non-Windows endpoints, and you are soliciting or you are sort of going through feedback from the field, from support folks, from sellers, from architects, probably, I assume, from partners, from customers directly? How do you get all of that input, and then what's the process by which you sort of sift through it and decide where to go and investigate? 

Jonathan Bar Or: Luckily, I do have managers that make these decisions for us. I'm not - like, it's not that I'm steering the ship. But I would say that I do have a lot of ways to affect certain teams and certain folks on how we should do certain things in a durable way. 

Jonathan Bar Or: Let's say that now we're facing a problem where we might see things like TCC bypasses in macOS - so, for instance, someone turning off your camera and taking pictures silently without any UI interaction. And then there is this question of how can we detect these things? And sometimes it means adding new optics and affecting engineering. 

Jonathan Bar Or: So my day basically is composed of meeting with our - sometimes meeting with folks that have more customer insights and trying to understand exactly what customers need. I do have meetings with engineering that try to affect them and see how their timeline looks like and how to make things survive. I know it sounds a bit silly, but with every - specifically for macOS, with every OS update, there are certain things that are not obvious anymore and certain things that won't be backwards compatible anymore. So you have to make sure that these things, you know, use the proper API and survive for years to come. 

Jonathan Bar Or: And then we have meetings with security researchers. And then in these meetings, we share our knowledge on, you know, malware families, operating system internals, tactics and techniques that are used by attackers, new technologies and also trying to understand where the wind blows. 

Jonathan Bar Or: So for instance, we do have a big database with all of the attacker techniques that we've seen. And every time we see something happen, we just add one more point there. So we can basically try to understand where the wind blows and be really data-driven in our approach. This kind of dictates what we should be focusing on next. I hope that makes sense. 

Natalia Godyla: It does. I had a quick question on your - the end of your point there. So on - in terms of security researchers, are you talking about working with other internal Microsoft Security researchers? And if so, is there an opportunity or have you worked with external security researchers? Like, how does the community come together around some of the work that you do? 

Jonathan Bar Or: Yeah. So I was referring to Microsoft internal folks only. However, we do have certain communities that we're trying to keep track of or also talk with. One of the (unintelligible) that I would say is that there is a Microsoft Defender for Endpoint Reddit subreddit. And we do read everything there. And sometimes you might see, like, cool ideas that basically are voiced there, and we do take them into consideration. I won't say that now if you write that - write there that you want X and Y, we'll definitely do that. But we do listen. 

Jonathan Bar Or: And in terms of other security researchers, once in a while, we do reach out to certain security researchers and try to learn from them. I won't give any specific names, but I do - I was in contact with a few security researchers for Mac, for instance, that basically showcased their proof-of-concept vulnerabilities without disclosing how they look like - or, sorry, how they're implemented. 

Jonathan Bar Or: So we are trying to be more proactive and try to learn from these folks as well because, you know, these guys are - have years and years of experience, and there is more macOS code - in this case, macOS, but it also applies to Linux and Android - than there are people researching it. So it's always good to learn new things from other folks. Some of them are collaborative. Some of them are less collaborative. And that works well. At least we get some hints on what to - what we should look at next. 

Nic Fillingham: Jonathan, we try not to spend too much time sort of promoting specific Microsoft products and solutions here on the podcast. We try to keep it fairly agnostic. We try to focus on the, you know, the insights and analysis here that would be applicable to anyone, regardless of, you know, what solutions they're running. 

Nic Fillingham: But I do want to end with sort of one quick question. I think you touched on it, but it might be worth sort of wrapping up here. So in your research, in your proof of concept, would the SIP vulnerability that you identified - would it actually have been alerted or flagged or even blocked if a endpoint was running Microsoft Defender for Endpoint from Mac? Or what would've happened before this vulnerability was addressed if they were running one of the Mac solutions that's in the Defender family? 

Jonathan Bar Or: It would've been alerted but not blocked. Now it would've been blocked, but only after the fact. 

Jonathan Bar Or: So we have several components. One of them is handling mostly pre-breach, and the other one is handling post-breach. The post-breach component mostly does alerting. It doesn't block things and can sustain false positives, even. That's the reason mostly it just alerts and not - doesn't block. And we have a pre-breach component that is focused more on blocking things. And these things, of course, intertwine these days. 

Jonathan Bar Or: But in this case, the post-breach solution alerted on my SIP bypass. Again, they didn't know that I had this kind of SIP bypass, and it just so happened to use in - to use my SIP bypass for something. In this case, it was overriding the Apple kernel exclusion list file, which is a file - SIP-protected Apple macOS file. So by overriding that file, they didn't know that I had a SIP bypass, but they did detect that, hey, something strange is going on. That file should not be overridden by this process. So they did alert. 

Jonathan Bar Or: I won't do justice talking about how they do that because they have, you know, all sorts of models - and I don't want to use the word machine learning, but I already have - that basically do these things and way better than what I can probably describe. So, yes, it would have been alerted, not blocked. 

Jonathan Bar Or: I will mention, though, that there is a feedback loop going between these two components. So if we see that the post-breach solution alerts all the time, we do feed that back to the pre-breach solution so it can block, let's say, for similar cases. And that's basically what happens under the hood there. 

Natalia Godyla: So just before we wrap up here, I think it's good to just hit these last notes a couple times. You know, for anyone listening, patch, patch, patch. Regardless of your device, use an antivirus or anti-malware solution, whether it's Microsoft Defender for Endpoint or otherwise. 

Natalia Godyla: But thank you again, Jonathan, for joining us. It was a pleasure to have you on the podcast again. And definitely let us know when we can bring you on to talk about that juicy Android vulnerability. 

Jonathan Bar Or: All right, thank you for having me. And I'll see you guys next time. 

Natalia Godyla: Well, we had a great time unlocking insights into security. From research to artificial intelligence, keep an eye out for our next episode. 

Nic Fillingham: And don't forget to tweet us - @msftsecurity - or email us at with topics you'd like to hear on a future episode. Until then, stay safe. 

Natalia Godyla: Stay secure.