Microsoft has discovered and disclosed information about a vulnerability in Apple’s Transparency, Consent, and Control (TCC) feature used in MacOS. This vulnerability, named Hm Surf and designated as CVE-2024-44133, allows unauthorized access to user data.
The issue was resolved in the MacOS Sequoia 15 update by eliminating the vulnerable code. This vulnerability enabled attackers to access sensitive data, such as browsing history, camera usage, microphone access, and device location, without the user’s consent. The attack involved removing TCC protection for the Safari directory and modifying configuration files.
Microsoft has reported that the vulnerability impacts only Safari and is collaborating with other browser manufacturers to enhance protection of local configuration files.
In the past, Microsoft has identified similar vulnerabilities in MacOS like Shrootless, PowerDir, Achilles, and Migraine, which also allowed bypassing security measures. In the case of HM SURF, the attack involved altering the user’s home directory and modifying critical files like “Persitepreferences.db,” enabling Safari to utilize substituted data upon launch.
Although Safari has privileges to bypass TCC using “Com.Apple.private.tcc.allow” privileges, it also employs the Hardened Runtime mechanism to prevent arbitrary code execution. Additionally, when requesting camera or geolocation access, the browser displays a pop-up window for user confirmation.
Microsoft indicated that this vulnerability may have been exploited in a well-known campaign to distribute Adload advertisements. However, without full details on the attack methods, experts could not definitively confirm the direct use of the HM SURF exploit. Nonetheless, these attacks underscore the significance of keeping security systems up to date.