Microsoft on Thursday warned of a recently patched macOS vulnerability potentially being exploited in adware attacks.
The issue, tracked as CVE-2024-44133, allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and access user data.
Apple addressed the bug in macOS Sequoia 15 in mid-September by removing the vulnerable code, noting that only MDM-managed devices are affected.
Exploitation of the flaw, Microsoft says, “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.”
According to Microsoft, which identified the security defect, only Safari is affected, as third-party browsers do not have the same private entitlements as Apple’s application and cannot bypass the protection checks.
TCC prevents applications from accessing personal information without the user’s consent and knowledge, but some Apple applications, such as Safari, have special privileges, named private entitlements, that may allow them to completely bypass TCC checks for certain services.
The browser, for example, is entitled to access the address book, camera, microphone, and other features, and Apple implemented a hardened runtime to ensure that only signed libraries can be loaded.
“By default, when one browses a website that requires access to the camera or the microphone, a TCC-like popup still appears, which means Safari maintains its own TCC policy. That makes sense, since Safari must maintain access records on a per-origin (website) basis,” Microsoft notes.
Furthermore, Safari’s configuration is maintained in various files, under the current user’s home directory, which is protected by TCC to prevent malicious modifications.
However, by changing the home directory using the dscl utility (which does not require TCC access in macOS Sonoma), modifying Safari’s files, and changing the home directory back to the original, Microsoft had the browser load a page that took a camera snapshot and recorded the device location.
An attacker could exploit the flaw, dubbed HM Surf, to take snapshots, save camera streams, record the microphone, stream audio, and access the device’s location, and can prevent detection by running Safari in a very small window, Microsoft notes.
The tech giant says it has observed activity associated with Adload, a macOS adware family that can provide attackers with the ability to download and install additional payloads, likely attempting to exploit CVE-2024-44133 and bypass TCC.
Adload was seen harvesting information such as macOS version, adding a URL to the microphone and camera approved lists (likely to bypass TCC), and downloading and executing a second-stage script.
“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique,” Microsoft notes.
Related: macOS Sequoia Update Fixes Security Software Compatibility Issues
Related: Vulnerability Allowed Eavesdropping via Sonos Smart Speakers
Related: Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
Related: Details of Twice-Patched Windows RDP Vulnerability Disclosed
