Microsoft’s 365 Defender Research Team on Monday in a blog post revealed that they had uncovered a new macOS vulnerability “powerdir” that could allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data.
Following the discovery, Microsoft shared its findings with Apple, subsequently which the Cupertino giant released a fix for this vulnerability, now identified as CVE-2021-30970, as part of security updates released on December 13, 2021.
“We encourage macOS users to apply these security updates as soon as possible,” wrote Microsoft.
For those unaware, TCC is a technology in macOS that is essentially designed to help users configure the privacy settings of their apps, such as access to the device’s camera, microphone, or location, as well as access to the user’s calendar or iCloud account, among others.
To protect TCC, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access.
Microsoft discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests.
If exploited on unpatched systems, the “powerdir” vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data. For example, the attacker could hijack an app installed on the device—or install their own malicious app—and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.
The team noted that other TCC vulnerabilities were previously reported and subsequently patched before their discovery. It also pointed that through examining one of the latest fixes that they came across the powerdir vulnerability was found.
“In fact, during this research, we had to update our proof-of-concept (POC) exploit because the initial version no longer worked on the latest macOS version, Monterey,” Microsoft added.
“This shows that even as macOS or other operating systems and applications become more hardened with each release, software vendors like Apple, security researchers, and the larger security community, need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them.”
Microsoft security researchers concluded by saying that are continuing to “monitor the threat landscape” to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices.
To find more about the exploit, you can read the blog post from the Microsoft 365 Defender Research Team.