New macOS vulnerability allows unauthorized access to data

Microsoft Threat Intelligence revealed Thursday that it has discovered a macOS vulnerability that could potentially allow attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to sensitive data. a user.

This macOS vulnerability has been identified as CVE-2024-44133 and dubbed “HM Surf”. For those who don’t know, TCC is a technology that prevents apps from accessing the user’s personal information, including location services, camera, microphone, downloads directory and others, without their consent and prior knowledge.

However, the HM Surf vulnerability involves removing TCC protection from the Safari browser directory and modifying a configuration file in said directory.

This could allow malicious actors to gain unauthorized access to sensitive user data, including browsing history, camera, microphone, and even device location information, without the user’s consent.

According to the Microsoft Threat Intelligence report, the bypass depends on sensitive files in the ~/Library/Safari directory.

The malicious actor could bypass security controls by modifying sensitive files located in the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db) and exploit the rights and TCC of Safari.

“Reading arbitrary files from the directory allows attackers to collect extremely useful information (such as the user’s browsing history),” the report said, adding: “Writing to the directory helps bypass the TCC, for example by replacing PerSitePreferences.db”.

The Redmond giant further noted that behavior monitoring protections in Microsoft Defender for Endpoint observed suspicious activity associated with known macOS adware, Adload, a widespread macOS threat family, potentially exploiting this vulnerability.

“Microsoft Defender for Endpoint detects and blocks exploitation of CVE-2024-44133, including abnormal modification of the preferences file via HM Surf or other methods,” the report adds.

Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) through Microsoft Security Vulnerability Research (MSVR), which was patched by Apple as part of its latest security updates for macOS Sequoia on September 16, 2024.

Currently, only Apple’s Safari browser uses the new protections offered by TCC. Microsoft is working with other major browser vendors, including Google and Mozilla, to further study the benefits of hardening local configuration files.

The company strongly encourages macOS users to apply Apple’s latest security updates as soon as possible to protect against this vulnerability.

“Microsoft continues to monitor the threat landscape for new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich the protection technologies that secure users’ computing experience, regardless of the platform or device they are using,” the report concludes.