 |
(Image credit: Future) |
Microsoft recently disclosed information regarding a vulnerability in macOS that impacted the Transparency, Consent, and Control framework. This vulnerability may be used to circumvent your privacy settings and gain access to data in the Safari browser.
The Microsoft team gave the Pokemon-like codename HM Surf to the vulnerability, which was originally known as CVE-2024-44133, as detailed in a Microsoft Threat Intelligence blog post. In a macOS Sequoia 15 update, Apple fixed the vulnerability, stating that it had done so by "removing the vulnerable code."
According to Jonathan Bar Or of Microsoft, HM Surf "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user's data, including browsed pages, the device's camera, microphone, and location, without the user's consent."
Microsoft stated in the report that only Apple's Safari browser is protected by the Sequoia 15 upgrade. Browsers such as Google Chrome and Mozilla Firefox, however, "do not have the same private entitlements as Apple applications," meaning they are unable to get around the TCC checks. This implies that the app is responsible for preserving access to the privacy database once users agree TCC checks.
TCC functions by blocking programs from accessing your browsing history or personal information. Bad actors may circumvent the TCC check and gain access to a variety of data, including your camera, microphone, download director, and more, thanks to the since-patched vulnerability.
Microsoft provided an explanation of how they discovered the exploit:
- Using the dscl utility, which does not require TCC access in Sonoma, you can change the current user's home directory (the ~/Library/Safari directory is no longer TCC protected at this point).
- Make changes to the user's actual home directory's sensitive files (such /Users/$USER/Library/Safari/PerSitePreferences.db).
- To ensure that Safari uses the updated files, change the home directory once more.
- To access a webpage that records a camera photo and tracks the location of the device, use Safari.
Microsoft has identified a number of vulnerabilities in Apple macOS, including Achilles, Migraine, powerdir, and Shrootless, which could enable malicious actors to circumvent security measures. HM Surf is the most recent of these vulnerabilities.
Additionally, unusual activity with AdLoad, a macOS adware threat that takes use of the vulnerability, was mentioned in the blog post.
"Since we weren't able to observe the steps taken leading to the activity, we can't fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself," Bar Or stated. "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."
Update to the most recent security patch as soon as you can.