Microsoft Threat Intelligence on Thursday revealed that they discovered a macOS vulnerability that could potentially allow attackers to bypass the operating systemโs Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a userโs sensitive data.
This macOS vulnerability was identified as CVE-2024-44133 and dubbed โHM Surf.โ For those unaware, TCC is a technology that prevents apps from accessing the user’s personal information, including location services, camera, microphone, downloads directory, and others, without their prior consent and knowledge.
However, the HM Surf vulnerability involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory.
This could allow threat actors to gain unauthorized access to sensitive user data, including browsing history, the deviceโs camera, microphone, and even location information, without the userโs consent.
According to the Microsoft Threat Intelligence report, the bypass depends on sensitive files in the ~/Library/Safari directory.
The threat actor could supersede security controls by modifying the sensitive files under the userโs real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db) and exploit Safariโs entitlements and TCC.
โReading arbitrary files from the directory allows attackers to gather extremely useful information (such as the userโs browsing history),โ the reportย stated, adding, โWriting to the directory allows TCC bypasses, for instance, by overriding the PerSitePreferences.db.โ
The Redmond giant further noted that behavior monitoring protections in Microsoft Defender for Endpoint had observed suspicious activity associated with a known macOS adware, Adload, a prevalent macOS threat family, potentially exploiting this vulnerability.
โMicrosoft Defender for Endpoint detects and blocks CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods,โ the report added.
Microsoftย shared itsย findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), which was fixed by Apple as part of itsย latest securityย updates for macOS Sequoia on September 16, 2024.
Currently, only Appleโs Safari browser uses the new protections afforded by TCC. Microsoft is working with other major browser vendors, including Google and Mozilla, to further investigate the benefits of hardening local configuration files.
The company strongly encourages macOS users to apply Apple’s latest security updates as soon as possible to protect against this vulnerability.
โMicrosoft continues to monitor the threat landscape to discover new vulnerabilities and attacker techniques that could affect macOS and other non-Windows devices. As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of threat intelligence sharing will help enrich protection technologies that secure usersโ computing experience regardless of the platform or device theyโre using,โ the report concluded.