Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user’s privacy preferences and access data.
The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133. It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code.
Jonathan Bar Or of the Microsoft Threat Intelligence team explained, “HM Surf involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.”
Microsoft mentioned that new protections are limited to Apple’s Safari browser, and they are collaborating with other major browser vendors to enhance the security of local configuration files.
HM Surf is the latest in a series of Apple macOS vulnerabilities discovered by Microsoft, following issues like Shrootless, powerdir, Achilles, and Migraine, which could potentially be leveraged by malicious actors to bypass security safeguards.
While TCC is designed to prevent unauthorized access to user data by apps, the HM Surf bug enables attackers to circumvent these restrictions and gain access to sensitive information like location, camera, microphone, and more without user consent.
Safari has a specific entitlement that allows it to bypass TCC restrictions, but it also includes a security feature called Hardened Runtime to prevent arbitrary code execution within the browser.
According to Microsoft’s findings, the HM Surf exploit involves manipulating the home directory, modifying sensitive files in the Safari directory, and then launching Safari to capture user data through the camera and location services.
While third-party browsers are not vulnerable to this exploit, Microsoft emphasized the importance of keeping systems up to date to prevent attacks leveraging this technique.