Summary:
Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.

The vulnerability is limited to Safari, which has entitlements allowing it to bypass TCC protections. Microsoft’s Jonathan Bar Or demonstrated an exploit, called "HM Surf," by modifying Safari’s configuration files, using the Directory Service command line utility (dscl) to manipulate TCC protections. This method could allow attackers to access sensitive data without user knowledge.

Microsoft has implemented new detection strategies and observed suspicious activity linked to Adloader, though it couldn't confirm if the activity directly exploited HM Surf. Apple introduced new APIs to prevent such modifications, while other browsers like Firefox and Chromium are still working on similar protections.

Security Officer Comments:
The flaw centers around Safari’s entitlements within the TCC framework. Entitlements in macOS dictate what system resources an app can access. Safari, being a core Apple application, possesses more powerful entitlements compared to other apps. This elevated privilege allows Safari to bypass some of TCC's standard protections once access is granted by the user.

• Exploit Mechanism: Jonathan Bar Or from Microsoft developed an exploit named "HM Surf" that takes advantage of Safari's special entitlements. The exploit manipulates local configuration files within Safari's directory, specifically those related to TCC, to effectively disable the standard consent checks.
• Configuration File Manipulation: Using the Directory Service command line utility (dscl), the exploit involves altering a user’s home directory path and modifying Safari’s TCC-related configuration files. After modifying these files to bypass TCC protections, the user’s home directory is then reverted, making Safari operate with the altered settings.
• Potential Consequences: With these modifications, an attacker could run Safari in a way that circumvents TCC’s user-consent prompts. This could enable the following unauthorized actions:
  • Taking photos using the device’s camera.
  • Recording audio via the device’s microphone.
  • Accessing location data.
  • Reading download histories and other private user data.
• Stealth Execution: Bar Or noted that the exploit could be further refined by running Safari in a minimized or tiny window, making it less likely that a user would notice its operation. This would allow an attacker to capture and upload sensitive data to a server of their choice without drawing attention.

Microsoft indicated that while they have observed suspicious activity that could suggest attempts to exploit this vulnerability, they could not confirm whether the Adloader macOS malware family has directly used HM Surf. Adloader is known for its focus on persistent infection and data theft on macOS systems.

Suggested Corrections:
Apple addressed this vulnerability with the September macOS Sequoia updates, which included new APIs for App Group Containers. These APIs are intended to improve System Integrity Protection (SIP), a macOS feature that prevents unauthorized modifications to system files and configurations. By using these new APIs, macOS aims to restrict any app, including Safari, from altering its configuration files in a way that would disable TCC protections.

Link(s):
https://www.theregister.com/2024/10/21/microsoft_macos_hm_surf/