This New MacOS Vulnerability Can Put Your Protected Data at Risk
- Microsoft Threat Intelligence discovered a new vulnerability that allows threat actors to bypass TCC checks and compromise personal user information.
- Apple has already been informed about this vulnerability and it has released a fix for it.
- Users are advised to quickly apply the security updates because the vulnerability might already be under active exploitation.
Microsoft Threat Intelligence recently discovered a macOS vulnerability that can put your protected data at risk.
This vulnerability, which is being called HM Surf, allows the threat actor to bypass the Transparency, Consent, and Control (TCC) technology protections for your Safari browser directory and modify a configuration file in the directory to access sensitive information such as device camera, microphone, a history of browsed pages and location, all without the user's consent.
Why Was Only Safari Affected?So far, it looks like Safari was the only victim. And if you are wondering why out of all Apple apps, Safari was the one to be compromised, there's a very good reason for that.
To start, let's understand what exactly TCC does.
- Its job is to prevent apps from accessing personal user information such as location, camera, microphone, downloads, etc.
- However, some Apple apps have entitlements" which are privileges digitally signed by Apple that allow the app to bypass the TCC.
- And Safari is one of the apps that has very powerful entitlements. So if a threat actor manages to compromise your Safari browser, they can access a lot of information at once.
The good news is that Microsoft has already informed Apple about this vulnerability (tracked as CVE-2024-44133) and the latter has released a fix for it on September 16, under its security update bundle for macOS Sequoia.
The fix includes new APIs for App Group Containers that make SIP (System Integrity Policy) which prevents attackers from modifying configuration files. Right now, only Safari is using the new API, other browsers are yet to follow. On a side note, Chromium might be using os_crypt to solve this vulnerability in a different way.
Microsoft Is Still VigilantUsers are advised to apply these security updates as soon as possible since this vulnerability might already be under active exploitation.
Behavior monitoring protections in Microsoft Defender for Endpoint noticed some activity associated with Adload (an infamous macOS threat family). And although Microsoft can't guarantee that this vulnerability is being exploited, there's certainly a possibility and hence it's wise to take precautions and install the security updates.
In the meantime, Microsoft is keeping an eye out for other macOS vulnerabilities that might crop up and reaching out to other browsers to check whether they have been hiding a similar vulnerability.
Browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge do not have the same entitlements" as Safari, so they can't bypass TCC checks.Nevertheless, Microsoft is still investigating the matter with other browsers and also experimenting with the benefits of hardening local configuration files with them.
HM Surf is the latest flaw to be MacOS flaw to be discovered, preceded by other vulnerabilities such as Migraine, Achilles, powerdir, and Shrootless, all of which allow threat actors to bypass security checks.
Although Microsoft Defender for Endpoint has taken care of them, so many back-to-back vulnerabilities are a wake-up call for us to develop stronger and uncompromisable security systems.
The post This New MacOS Vulnerability Can Put Your Protected Data at Risk appeared first on Techreport.