Alert: Microsoft Unveil TCC macOS Vulnerability In Safari
Microsoft has recently shared details of a macOS vulnerability in the Transparency, Consent, and Control (TCC) framework. Reports suggest that the vulnerability has likely come under active exploits to bypass security preferences and access data. In this article, we’ll cover how the vulnerability can be exploited and what users can do to stay secure. Let’s begin!
TCC macOS Vulnerability Uncovered
The macOS vulnerability has been tracked as CVE-2024-44133 and has a critical vulnerability severity score (CVSS) of 5.5. The vulnerability prevails within the Safari web browser and has been codenamed HM Surf. Providing details about the vulnerability, Microsoft has stated that it:
“involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.”
This data once acquired by a threat actor can be used for blackmailing users for ransom or other actions and can also be released publicly for causing reputational damage. It’s worth noting that the prevalence of HM Surf follows Microsoft’s discovery of other macOS security vulnerabilities that include:
- Shrootless.
- powerdir.
- Achilles.
- Migraine.
macOS TCC Framework Flaw Attack Chain
Apple’s TCC security framework is generally known for preventing apps from gaining access to user data without acquiring consent. However, this new macOS vulnerability allows threat actors to bypass this protocol and gain unauthorized access a sensitive information from multiple sources that include:
- Location services.
- Address book.
- Device camera and microphone.
- Download directory.
It’s worth noting that this access is facilitated by the Safari web browser which inherently has the capability to bypass the TCC protocol. The web browser seeks user permission and then stores entitlement in the “~/Library/Safari” directory. According to Microsoft, this macOS vulnerability exploit would be carried out in multiple steps that include:
- Using the dscl utility to change the user’s home directory and accessing the “~/Library/Safari” directory to modify sensitive files.
- Ensuring that Safari is able to use the modified files by changing the home directory back to the original directory.
- Launching Safari to open a web page that takes a snapshot via the device’s camera and grabs the location
- Accessing Safari and going to a webpage that was already opened and acquiring the device location and user data via the device’s camera.
Once this sequence of events is completed, the attack threat actors can acquire more data by capturing camera streams and audio. The macOS vulnerability has been addressed in Sequoia 15 and users are urged to update promptly.
Conclusion
HM Surf vulnerability within macOS’s TCC framework poses significant privacy risks by allowing unauthorized access to sensitive data. Users should immediately update to macOS Sequoia 15 to mitigate potential exploits. Staying vigilant and applying timely security patches is essential to safeguard personal information from such threats.
The sources for this piece include articles in The Hacker News and Security Affairs.