Microsoft has revealed details about a patched security flaw in Apple’s Transparency, Consent, and Control (TCC) in macOS that was likely used to bypass privacy settings and access user data.
The flaw, which the tech giant has codenamed HM Surf, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code.
HM Surf “involves removing TCC protection for the Safari browser directory and modifying a configuration file in said directory to access user data, including pages viewed, device camera, microphone, and location, without user consent,” Jonathan said. Bar Abo from the Microsoft Threat Intelligence team said.
Microsoft said the new protection is limited to Apple’s Safari browser, and that it is working with other major browser vendors to further explore the benefits of hardening local configuration files.
HM Surf follows Microsoft’s discovery of Apple macOS flaws such as Rootless, PowerDir, Achillesand Migraine which may allow attackers to bypass security measures.
While TCC is a security system that prevents apps from accessing users’ personal information without their consent, a newly discovered bug could allow attackers to bypass this requirement and gain access to location services, address book, camera, microphone, directory downloads and others in an unauthorized way.
Access is governed by a set of permissions, with Apple’s own apps such as Safari having the ability to bypass TCC entirely by using the “com.apple.private.tcc.allow” permission.
While this allows Safari to freely access sensitive permissions, it also includes a new security mechanism called Hardened runtime which makes it difficult to execute arbitrary code in the context of a web browser.
However, when users first visit a website that requests location or camera access, Safari requests access through a TCC-like popup. These permissions are stored for each website in different files located in the “~/Library/Safari” directory.
The HM Surf exploit, developed by Microsoft, depends on the following steps:
- Changing the current user’s home directory with dcl utility, a step that does not require access to TCC in macOS Sonoma
- Changing sensitive files (eg PerSitePreferences.db) to “~/Library/Safari” in the user’s actual home directory
- Changing the home directory back to the original directory causes Safari to use the changed files
- Launch Safari to open a web page that takes a picture with the device’s camera and captures the location
The attack could be extended further to save the entire stream from the camera or to stealthily capture audio through the Mac’s microphone, Microsoft said. Third-party web browsers don’t suffer from this problem because they don’t have the same privacy rights as Apple apps.
Microsoft noted that it has observed suspicious activity related to a known macOS adware threat called AdLoad is likely exploiting this vulnerability, so users should take steps to apply the latest updates.
“Because we were unable to observe the steps leading up to this activity, we cannot fully determine whether AdLoad is exploiting the HM surf vulnerability itself,” Barr Orr said. “Attackers using a similar method to deploy a common threat increase the importance of protecting against attacks using this technique.”
