@lapcatsoftware @joe I assume it was just being run manually, I think that particular avenue might be blocked now due to launch constraints. I do know I have used either this or something else I found during a CTF to cheese another kernel pwn challenge though

@saagar @joe What I meant was, how was Setup Assistant NOT vulnerable in Mac OS X 10.10 and earlier? Which goes back to my original question, there was a defense before SIP?

@saagar @joe I have an old Mac with Snow Leopard, and I can DYLD_ inject Setup Assistant.

The app quits on its own after launch for whatever reason, perhaps because it was designed to run only once.

@lapcatsoftware @joe I think Library Validation was introduced before SIP but not way back in 10.6

@lapcatsoftware @joe To be clear I am not saying that 10.10 was secure I just don’t think the current state is exactly the same as what we had back then

@saagar @joe Library validation was introduced in 10.10. That’s the point, though: it’s independent of SIP.

The question is whether disabling SIP is worse than not having SIP, and I’m not sure that it is. You seem to blame SIP for the introduction of a root escalation, whereas I wonder whether it was preexisting.

@lapcatsoftware @joe It’s more nuanced than that. If there’s a security bug, and we assume Apple will get around to it someday, without SIP they would fix it in some other way. Wi5 SIP, that is the way they consider it fixed.