Microsoft has recently discovered a vulnerability in macOS that could potentially allow attackers to access users’ protected data. The flaw, known as “HM Surf,” enables hackers to bypass the Transparency, Consent, and Control (TCC) technology of the operating system, granting them access to sensitive user data such as browsing history, camera, microphone, and location.
This vulnerability, identified as CVE-2024-44133, has been categorized with a medium severity rating by Microsoft. Upon identifying the issue, Microsoft promptly shared its findings with Apple, who then released a fix as part of the macOS Sequoia security updates on September 16, 2024.
Users of macOS are strongly advised to apply these security updates without delay, as Microsoft has detected potential exploitation activity linked to the Adload malware, which is prevalent among macOS users.
The method in which attackers can exploit this vulnerability involves dismantling the TCC protection for the Safari browser directory and making modifications to a configuration file within the directory. TCC technology serves as a safeguard against unauthorized access to personal information, necessitating users’ consent before granting access to services like location services, camera, microphone, and more.
By utilizing the com.apple.private.tcc.allow entitlement in Safari, which is the default browser for macOS, attackers can bypass TCC checks for the specified services. It’s important to note that third-party browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge do not possess the same privacy entitlements as Safari, rendering them incapable of evading TCC checks.
Microsoft researchers delved into Safari’s underlying configuration files stored in the ~/Library/Safari directory, discovering files containing critical information like browser history, downloads list, and permissions list. By modifying these sensitive files and redirecting Safari to utilize the altered versions, attackers can exploit the vulnerability to execute malicious activities like capturing camera snapshots and tracking device location.
In a potential scenario, hackers could exploit this technique to host camera snapshots for later retrieval, save entire camera streams, record microphone audio for transmission to external servers, access the device’s location, and run Safari in a discreet window to avoid detection.
Additionally, Microsoft has noted suspicious activity on a customer’s device indicating potential exploitation of the HM Surf vulnerability by the Adload malware. While the exact method of exploitation remains unclear, the presence of similar attack techniques underscores the critical need for defense against threats leveraging this vulnerability.
The discovery of the HM Surf vulnerability serves as a stark reminder of the ongoing battle against cyber threats and the importance of prompt software updates to mitigate security risks. As technology continues to advance, users must remain vigilant and adhere to best practices to safeguard their personal data and ensure a secure digital experience.