A recently discovered vulnerability in macOS, dubbed “HM Surf,” allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, gaining unauthorized access to a user’s protected data.
This vulnerability, identified as CVE-2024-44133, was uncovered by Microsoft Threat Intelligence and has since been addressed by Apple in the latest security updates for macOS Sequoia, released on September 16, 2024.
The HM Surf vulnerability involves removing TCC protection for the Safari browser directory and modifying a configuration file within that directory.
This allows attackers to access sensitive user data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.
Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).
Currently, only Safari uses the new protections provided by TCC, and Microsoft is collaborating with other major browser vendors to investigate the benefits of hardening local configuration files.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)
macOS Vulnerability Allows Attackers to Bypass Controls
Behavior monitoring protections in Microsoft Defender for Endpoint have detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability.
Attackers could use this technique to gather sensitive information, such as browsing history, and gain unauthorized access to the device’s camera, microphone, and location.
An exploit for HM Surf involves changing the home directory of the current user, modifying sensitive files under the user’s real home directory, and running Safari to open a webpage that takes a camera snapshot and traces the device location.
Attackers could perform stealthy actions, such as hosting the snapshot privately, saving an entire camera stream, recording and streaming microphone audio, and starting Safari in a small window to avoid drawing attention.
Microsoft encourages macOS users to apply the security updates released by Apple as soon as possible. Microsoft Defender for Endpoint can detect and block CVE-2024-44133 exploitation, including anomalous modification of the Preferences file through HM Surf or other methods.
Continuous research on vulnerabilities in security technologies like TCC is crucial to ensure user data is protected from unauthorized access.
Software vendors must work quickly to discover and address vulnerabilities before malicious actors can exploit them. Microsoft Defender for Endpoint uses advanced behavioral analytics and machine learning to detect anomalous activities on devices, providing an additional layer of protection.
As cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and threat intelligence sharing will help strengthen protection technologies that secure users’ computing experience across all platforms and devices.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here