Microsoft has shared information about a recently fixed security vulnerability in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that may have been exploited to override a user’s privacy settings and access data.
The flaw, known as HM Surf by Microsoft, is identified as CVE-2024-44133. Apple has already addressed this issue in macOS Sequoia 15 by eliminating the vulnerable code.
According to Jonathan Bar Or from the Microsoft Threat Intelligence team, HM Surf “involves bypassing the TCC protection for the Safari browser directory and modifying a configuration file within the directory to access the user’s data, such as visited pages, the device’s camera, microphone, and location, without the user’s consent.”
Microsoft mentioned that the enhanced protections only apply to Apple’s Safari browser and that they are collaborating with other major browser providers to explore additional ways to strengthen local configuration files.
HM Surf adds to Microsoft’s findings of other Apple macOS vulnerabilities like Shrootless, powerdir, Achilles, and Migraine which could enable malicious actors to circumvent security measures.
While TCC is designed to prevent apps from accessing personal information without consent, the newly discovered bug could allow attackers to evade this requirement and gain unauthorized access to location services, address book, camera, microphone, downloads directory, and more.
The access is controlled by entitlements, with Apple’s Safari having the “com.apple.private.tcc.allow” entitlement that enables it to bypass TCC completely.
Though Safari can access sensitive permissions freely, it is also equipped with a security feature known as Hardened Runtime that makes executing arbitrary code within the web browser context challenging.
When users encounter a website asking for location or camera access for the first time, Safari prompts for permission via a TCC-like popup. The entitlements are stored per website in various files within the “~/Library/Safari” directory.
Microsoft’s HM Surf exploit involves the following steps –
- Changing the home directory of the current user using the dscl utility, which does not require TCC access in macOS Sonoma
- Modifying sensitive files (e.g., PerSitePreferences.db) in the “~/Library/Safari” directory under the user’s original home directory
- Reverting the home directory back to its original location to make Safari utilize the modified files
- Launching Safari to access a web page that captures images from the device’s camera and retrieves location data
This attack could potentially extend to recording a camera stream or capturing audio discreetly through the Mac’s microphone, as noted by Microsoft. Third-party browsers do not face this issue because they lack the same private entitlements as Apple apps.
Microsoft observed suspicious activities related to the known macOS adware threat AdLoad, indicating possible exploitation of the vulnerability. Users are advised to apply the latest updates to stay protected.
“While we cannot confirm if the AdLoad campaign is exploiting the HM surf vulnerability directly, the similarity in methods highlights the need for defenses against attacks using this technique,” said Bar Or.
