Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user’s privacy preferences and access data.
The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code.
HM Surf “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent,” Jonathan Bar Or of the Microsoft Threat Intelligence team said.
Microsoft said the new protections are limited to Apple’s Safari browser, and that it’s working with other major browser vendors to further explore the benefits of hardening local configuration files.
HM Surf follows Microsoft’s discovery of Apple macOS flaws like Shrootless, powerdir, Achilles, and Migraine that could enable malicious actors to sidestep security enforcements.
While TCC is a security framework that prevents apps from accessing users’ personal information without their consent, the newly discovered bug could enable attackers to bypass this requirement and gain access to location services, address book, camera, microphone, downloads directory, and others in an unauthorized manner.
The access is governed by a set of entitlements, with Apple’s own apps like Safari having the ability to completely sidestep TCC using the “com.apple.private.tcc.allow” entitlement.
While this allows Safari to freely access sensitive permissions, it also incorporates a new security mechanism called Hardened Runtime that makes it challenging to execute arbitrary code in the context of the web browser.
That said, when users visit a website that requests location or camera access for the first time, Safari prompts for access via a TCC-like popup. These entitlements are stored on a per-website basis within various files located in the “~/Library/Safari” directory.
The HM Surf exploit devised by Microsoft hinges on performing the following steps –
- Changing the home directory of the current user with the dscl utility, a step that does not require TCC access in macOS Sonoma
- Modifying the sensitive files (e.g., PerSitePreferences.db) within “~/Library/Safari” under the user’s real home directory
- Changing the home directory back to the original directory causes Safari to use the modified files
- Launching Safari to open a web page that takes a snapshot via the device’s camera and grab the location
The attack could be extended further to save an entire camera stream or stealthily capture audio through the Mac’s microphone, Microsoft said. Third-party web browsers don’t suffer from this problem as they do not have the same private entitlements as Apple applications.
Microsoft noted it observed suspicious activity associated with a known macOS adware threat named AdLoad likely exploiting the vulnerability, making it imperative that users take steps to apply the latest updates.
“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself,” Bar Or said. “Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”