Microsoft Discovers Critical macOS Vulnerability Allowing Unauthorized Data Access

Microsoft Threat Intelligence have identified a vulnerability in macOS that could allow attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, potentially gaining unauthorized access to protected user data.

The vulnerability, named "HM Surf," involves disabling TCC protection for the Safari browser's directory and altering a configuration file within that directory to access sensitive data, such as browsing history, the device’s camera, microphone, and location, without user consent.

Upon discovering this vulnerability, Microsoft reported it to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). Apple addressed the issue, now cataloged as CVE-2024-44133, in the security updates for macOS Sequoia released on September 16, 2024. Currently, the new TCC protections are exclusive to Safari, while Microsoft collaborates with other major browser developers to explore the benefits of securing local configuration files further.

MacOS users are urged to install these security updates without delay. Microsoft's Defender for Endpoint has identified activity associated with Adload, a widespread macOS threat that may exploit this vulnerability. Defender for Endpoint can detect and prevent exploitation of CVE-2024-44133, including unauthorized modification of the Preferences file using HM Surf or other techniques.

How Attackers Can Circumvent macOS Protections

The role of TCC in macOS is to safeguard user data by preventing applications from accessing personal information—such as location, camera, microphone, and downloads—without explicit user approval. Typically, an app can access these services only if the user consents through an interface prompt or by granting access in the system settings. In this blog, we explain how HM Surf can be used to circumvent TCC protections and offer guidance on defending against exploitation.

Attackers can exploit macOS by disabling the Transparency, Consent, and Control (TCC) protection for the Safari browser and altering a configuration file within the browser's directory, according to Microsoft.

Safari, as the default macOS browser, can bypass TCC protections through the use of a specific entitlement: com.apple.private.tcc.allow. This entitlement permits Safari to skip TCC checks for any services listed under it, allowing attackers to potentially exploit the system.

However, third-party browsers on macOS—such as Google Chrome, Mozilla Firefox, and Microsoft Edge—do not have the same TCC privileges as Safari. This means they cannot be used in the same way to bypass privacy checks.

Microsoft researchers discovered that Safari stores its settings in several files located in the user's home directory (~/Library/Safari). These files contain sensitive information, such as browsing history, download records, and permissions.

The researchers found a way to modify crucial files in the actual home directory (e.g., /Users/$USER/Library/Safari/PerSitePreferences.db) and then reset the home directory so Safari would use the altered files. This manipulation enabled them to launch Safari and load a webpage capable of taking a camera snapshot and tracking the device's location.

Read the complete Microsoft Threat Intelligence Report here