Microsoft has uncovered a macOS vulnerability that can enable attackers to gain access to users’ protected data, and warned active exploitation may be taking place.
The flaw, dubbed “HM Surf,” allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology to access sensitive user data, including browsed pages and the device’s camera, microphone and location.
The vulnerability is identified as CVE-2024-44133, with a medium severity rating.
Microsoft shared its findings with Apple, which released a fix as part of security updates for macOS Sequoia on September 16, 2024.
macOS users are urged to apply the updates as soon as possible, with Microsoft detecting potential exploitation activity associated with Adload, a prevalent macOS malware family.
How Attackers Can Bypass macOS Protections
Exploitation involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the directory, Microsoft said.
TCC is a technology that prevents apps from accessing users’ personal information, including services such as location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge.
TCC bypass can be achieved by leveraging the com.apple.private.tcc.allow TCC entitlement in Safari, which is the default browser for macOS. This allows the app to completely bypass TCC checks for services that are mentioned under the entitlement.
Third party browsers that can be used on macOS, including Google Chrome, Mozilla Firefox and Microsoft Edge, do not have the same privacy entitlements as Safari, which means they cannot be used to bypass TCC checks.
Microsoft researchers discovered that Safari maintains its configuration in various files under the user’s home directory (~/Library/Safari). This directory contains several files of interest, including the user’s browser history, downloads list, and permissions list.
They were able to modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db) and change the home directory again so Safari used the modified files.
This allowed them to run Safari to open a webpage that takes a camera snapshot and trace device location.
In a real scenario, an attacker could use the technique to carry out the following activities:
- Host the snapshot somewhere to be downloaded later privately
- Save an entire camera stream
- Record microphone and stream it to another server or upload it
- Get access to the device’s location
- Start Safari in a very small window to not draw attention
Microsoft said it has observed suspicious activity in a customer’s device, which suggests Adload could be exploiting the HM Surf vulnerability.
“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM Surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique,” Microsoft warned in the blog post.
Image credit: Alberto Garcia Guillen / Shutterstock.com