Microsoft has revealed details about a recently patched security vulnerability in macOS, which exploited a flaw in Apple’s Transparency, Consent, and Control (TCC) framework.
This vulnerability, codenamed HM Surf, allowed attackers to bypass a user’s privacy settings, gaining unauthorized access to sensitive data. Tracked as CVE-2024-44133, the flaw was fixed by Apple with the release of macOS Sequoia 15, which removed the problematic code.
HM Surf specifically involved disabling TCC protections for Safari’s browser directory. Attackers could manipulate a configuration file to access private data, including visited web pages, the device’s camera, microphone, and location, without user consent.
A researcher from the Microsoft Threat Intelligence team explained that the exploit granted access by altering the Safari browser directory and modifying configuration settings. This would allow hackers to hijack personal information and bypass normal privacy warnings.
While the vulnerability primarily affected Safari, third-party browsers are unaffected due to differences in their permission structures. The flaw is part of a broader trend of macOS vulnerabilities, including previously identified issues like Shrootless and Achilles, which allowed malicious actors to bypass security enforcements.
TCC is a vital macOS framework that prevents apps from accessing users’ personal data without consent. However, HM Surf enabled attackers to break through this barrier, accessing location services, the camera, microphone, and other sensitive files.
Apple’s apps, including Safari, have certain permissions that bypass TCC using private entitlements, making them more vulnerable to exploitation.
Microsoft noted that the attack relied on altering the home directory of the current user, modifying critical files in Safari’s directory, and then restoring the home directory back to its original state.
Once Safari was relaunched, the manipulated files allowed attackers to gain unauthorized access to the camera and microphone.
Although the vulnerability was addressed, Microsoft reported that similar suspicious activity was linked to the macOS adware threat AdLoad. While it is unclear if AdLoad directly exploited the HM Surf vulnerability, the connection highlights the need for vigilance against future attacks.
To mitigate risks from such vulnerabilities, users should ensure they keep their macOS systems and browsers fully updated with the latest security patches. It’s also essential to monitor any unusual activities and use reliable security tools to protect against privacy breaches.
