A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.
The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a “medium” severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).
Researchers from Microsoft have named their exploit of CVE-2024-44133 “HM Surf.” In a new blog post, they described how HM Surf could open the door to a user’s browsing data, camera, and microphone, as well as their device’s location, among other things. And the threat doesn’t only appear to be theoretical: There’s already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.
Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.
“It’s a serious concern, because of the unauthorized access it gives,” says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, “By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it.”
Exploiting HM Surf
In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.
Unless your app has a special “entitlement.” Some of Apple’s proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari’s entitlement, “com.apple.private.tcc.allow,” which allows it to bypass TCC at an app level, and apply it only on a per website (“per origin”) basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.
Safari’s configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user’s home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.
Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari’s per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.
Was CVE-2024-44133 Already Exploited?
After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they’d found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.
It was a program digging into the victim’s Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.
This program, it turned out, was a well-known macOS adware program called “AdLoad.” AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.
In its blog post, Microsoft noted that though AdLoad’s activity closely resembled the HM Surf technique, “Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself.” Still, it added, “Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”
Dark Reading has contacted both Apple and Microsoft for further comment on this story.
Source: www.darkreading.com