New macOS vulnerability discovered: get the patch before attackers get access


Microsoft researchers have unveiled a new macOS vulnerability that attackers can exploit to gain unauthorized access to protected data. A patch has been available since September 16th.

Macs use Transparency, Consent, and Control (TCC) technology to prevent apps from accessing users' personal information, such as location, browsing history, camera, microphone, or others, without their consent.

Researchers from Microsoft Threat Intelligence discovered a bypass technique, which removes TCC protection for the Safari browser directory.

ADVERTISEMENT

Following a responsible disclosure, Apple released a fix for the vulnerability on September 16th, 2024, as part of security updates for macOS Sequoia.

Microsoft has already detected malicious activity that potentially exploits this bug.

“We encourage macOS users to apply these security updates as soon as possible. Behavior monitoring protections in Microsoft Defender for Endpoint have detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability,” the report reads.

Normally, any app on macOS asks for the user’s permission to access sensitive services or data. However, Apple reserves some entitlements to their own apps, and Safari can freely access the address book, camera, microphone and more. By default, Safari still displays a popup when trying to access these features.

However, attackers can remove TCC protections for the Safari directory by modifying configuration files. If the user then opens a malicious webpage, attackers could take camera snapshots or trace the device's location.

In a real scenario, an attacker could do stealthy things, such as starting Safari in a very small window to not draw attention and grab sensitive private data.

Microsoft researchers observed malicious actors using Adload to detect the current macOS version, get user IDs, check passwords, add bypasses for microphone and camera access, and launch downloaders for the second stage of attacks. However, it is not clear if the campaign was directly exploiting the vulnerability, which Microsoft dubbed “HM Surf.”

Microsoft has also acknowledged that Apple introduced additional protections for configuration files from being modified by external attackers, resolving the vulnerability class. Microsoft collaborates with other major browser vendors to adopt similar protections.

ADVERTISEMENT

Cybernews recently reported that attackers are very quick at exploiting known vulnerabilities. On average it takes them 5 days to weaponize them.