macOS Vulnerability Could Expose User Data, Microsoft Warns
Summary:
Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system’s Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location. By exploiting this vulnerability, attackers can remove TCC protections from the Safari browser directory and modify configuration files to bypass user consent, granting full access to these sensitive resources.
The vulnerability works by leveraging Safari's entitlements, which bypasses TCC checks for services like the camera and microphone. Attackers can exploit this entitlement by modifying Safari's configuration files located in the user’s home directory , that store site-specific preferences, allowing them to override TCC permissions. Once the changes are made, Safari can access protected services without the user's consent, enabling the attacker to secretly record audio, take snapshots with the camera, and track the device’s location. The attack can be subtle, with Safari running in a small window to avoid detection.
Security Officer Comments:
While Microsoft detected suspicious activity linked to Adload, a known macOS malware family, it remains unclear if this specific vulnerability is being fully exploited in the wild. However, Microsoft observed that Adload modified a user’s Chrome Preferences file in a way that could indicate similar techniques are being used to bypass TCC protections. Microsoft has integrated behavioral monitoring protections in its Defender for Endpoint product to detect and block such attacks. This vulnerability primarily affects Safari due to its special entitlements that allow it to bypass TCC checks, while third-party browsers like Chrome, Firefox, and Edge do not have these privileges and are therefore less vulnerable to this particular exploit.
Suggested Corrections:
Microsoft reported the issue to Apple, which released a fix as part of a security update for macOS Sequoia on September 16, 2024. Users are strongly urged to apply the update immediately, as Microsoft’s monitoring has identified potential exploitation activity in the wild.
Link(s):
https://www.infosecurity-magazine.com/news/microsoft-macos-vulnerability/
Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system’s Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location. By exploiting this vulnerability, attackers can remove TCC protections from the Safari browser directory and modify configuration files to bypass user consent, granting full access to these sensitive resources.
The vulnerability works by leveraging Safari's entitlements, which bypasses TCC checks for services like the camera and microphone. Attackers can exploit this entitlement by modifying Safari's configuration files located in the user’s home directory , that store site-specific preferences, allowing them to override TCC permissions. Once the changes are made, Safari can access protected services without the user's consent, enabling the attacker to secretly record audio, take snapshots with the camera, and track the device’s location. The attack can be subtle, with Safari running in a small window to avoid detection.
Security Officer Comments:
While Microsoft detected suspicious activity linked to Adload, a known macOS malware family, it remains unclear if this specific vulnerability is being fully exploited in the wild. However, Microsoft observed that Adload modified a user’s Chrome Preferences file in a way that could indicate similar techniques are being used to bypass TCC protections. Microsoft has integrated behavioral monitoring protections in its Defender for Endpoint product to detect and block such attacks. This vulnerability primarily affects Safari due to its special entitlements that allow it to bypass TCC checks, while third-party browsers like Chrome, Firefox, and Edge do not have these privileges and are therefore less vulnerable to this particular exploit.
Suggested Corrections:
Microsoft reported the issue to Apple, which released a fix as part of a security update for macOS Sequoia on September 16, 2024. Users are strongly urged to apply the update immediately, as Microsoft’s monitoring has identified potential exploitation activity in the wild.
Link(s):
https://www.infosecurity-magazine.com/news/microsoft-macos-vulnerability/