Microsoft Threat Intelligence on Thursday revealed that they discovered a macOS vulnerability that could potentially allow attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s sensitive data.
This macOS vulnerability was identified as CVE-2024-44133 and dubbed “HM Surf.” For those unaware, TCC is a technology that prevents apps from accessing the user’s personal information, including location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge.
However, the HM Surf vulnerability involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory.
This could allow threat actors to gain unauthorized access to sensitive user data, including browsing history, the device’s camera, microphone, and even location information, without the user’s consent.
According to the Microsoft Threat Intelligence report, the bypass depends on sensitive files in the ~/Library/Safari directory.
The threat actor could supersede security controls by modifying the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db) and exploit Safari’s entitlements and TCC.
“Reading arbitrary files from the directory allows attackers to gather extremely useful information (such as the user’s browsing history),” the report stated, adding, “Writing to the directory allows TCC bypasses, for instance, by overriding the PerSitePreferences.db.”
The Redmond giant further noted that behavior monitoring protections in Microsoft Defender for Endpoint had observed suspicious activity associated with a known macOS adware, Adload, a prevalent macOS threat family, potentially exploiting this vulnerability.
“Microsoft Defender for Endpoint detects and blocks CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods,” the report added.
Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), which was fixed by Apple as part of its latest security updates for macOS Sequoia on September 16, 2024.
Currently, only Apple’s Safari browser uses the new protections afforded by TCC. Microsoft is working with other major browser vendors, including Google and Mozilla, to further investigate the benefits of hardening local configuration files.
The company strongly encourages macOS users to apply Apple’s latest security updates as soon as possible to protect against this vulnerability.
“Microsoft continues to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich protection technologies that secure users’ computing experience regardless of the platform or device they’re using,” the report concluded.