Unauthorized Data Access Possible Due to New macOS Vulnerability
There is a new vulnerability in macOS that has been discovered, which could potentially allow a malicious actor to bypass the Transparency, Consent, and Control (TCC) technology of the operating system. This would give the attacker unauthorized access to protected information belonging to a legitimate user. The vulnerability, named HM Surf, specifically targets the TCC protection in the Safari browser directory. By altering a configuration file in this directory, the malicious actor can gain access to various types of sensitive information, including:
- Browsed pages
- Device camera and microphone
- Device location
Insights from Security Leaders
Xen Madden, Cybersecurity Expert at Menlo Security:
“The macOS ‘HM Surf’ vulnerability (CVE-2024-44133) is concerning due to the unauthorized access it enables. Thankfully, most EDR tools should be able to detect it, especially since Microsoft Defender is already picking it up. Larger organizations with advanced security measures should already have protections in place. However, ensuring all macOS devices are updated, actively monitoring for suspicious activity, and utilizing behavioral-based detection tools are crucial steps for all security teams to take to mitigate potential threats.”
John Bambenek, President at Bambenek Consulting:
“Essentially, this vulnerability is a privilege escalation issue that requires the execution of malicious instructions on the victim’s machine, something that malware could easily accomplish. The primary risk here is targeting home users to capture compromising video for potential extortion. It’s important for security teams to prioritize updating systems and implementing defenses to prevent malware from infiltrating in the first place.”
Balazs Greksza, Threat Response Lead at Ontinue:
“The vulnerability exploits how Safari manages TCC permissions, which are stored in the user’s ‘~/Library/Safari’ folder. Details are kept in a sqlite3 database ‘PerSitePreferences.db,’ which can be checked using simple commands like:
sqlite3 PerSitePreferences.db
sqlite> SELECT * FROM preference_values; )
Additionally, the ‘UserMediaPermissions.plist’ file may contain further configuration details. Defenders can monitor for any modifications in these files and detect any directory changes using the DSCL utility. While the exploit claims to use the DSCL tool to modify the home folder without specific permissions, it would still require Sudo privileges to make changes on most Macs, making widespread abuse less likely.”
