Analysis Summary

A vulnerability in Apple's Transparency, Consent, and Control (TCC) architecture in macOS has been patched, but Microsoft has revealed details about how it was likely exploited to circumvent users' privacy preferences and obtain data.

The tech giant dubbed the vulnerability HM Surf, and it is recorded as CVE-2024-44133. Apple removed the vulnerable code as part of macOS Sequoia 15 to resolve it. Through the use of HM Surf, the user's data, including pages visited, the device's camera, microphone, and location, are accessible without the user's knowledge. This is achieved by removing the TCC protection from the Safari browser directory and altering a configuration file within it.

Microsoft stated that the enhanced security measures are exclusive to Apple's Safari browser and that it is collaborating with other prominent browser providers to investigate the advantages of hardening local configuration files in more detail. HM Surf was created in response to Microsoft's revelation of Apple macOS vulnerabilities like PowerDir, Achilles, Shrootless, and Migraine, which could allow hostile actors to evade security measures.

The recently found bug may allow attackers to get around TCC's security framework, which prohibits apps from accessing users' personal information without authorization. This would allow them to access unauthorized resources such as the downloads directory, address book, camera, microphone, and location services. Access is controlled by a system of entitlements, whereby TCC can be fully circumvented by Apple apps such as Safari by utilizing the "com.apple.private.tcc.allow" entitlement.

While this allows Safari to freely access sensitive permissions, it also incorporates a new security mechanism called Hardened Runtime that makes it harder to execute arbitrary code in the context of the web browser. That said when users visit a website that requests location or camera access for the first time, Safari prompts for access via a TCC-like popup. These entitlements are stored on a per-website basis within various files located in the "~/Library/Safari" directory.

According to Microsoft, the attack could be expanded further to save a full video stream or covertly record audio using the Mac's microphone. Since third-party web browsers do not have the same private rights as Apple programs, they are not affected by this issue. Users must immediately install the most recent patches after Microsoft reported seeing unusual activity linked to the known macOS adware threat AdLoad, which is probably leveraging the vulnerability.

Impact

• Security Bypass
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2024-44133

Affected Vendors

Affected Products

• Apple macOS - unspecified
• Apple macOS Sequoia - 14

Remediation

• Refer to the Apple Security Document for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.