Microsoft Uncovers macOS Weakness that Circumvents Privacy Controls in Safari Browser
Microsoft has revealed information about a recently fixed security weakness in Apple’s Transparency, Consent, and Control (TCC) framework in macOS, which has likely been exploited to evade a user’s privacy preferences and obtain data.
The flaw, known as HM Surf by the tech company, is identified as CVE-2024-44133. Apple has resolved it in macOS Sequoia 15 by eliminating the vulnerable code.
HM Surf “involves eliminating the TCC protection for the Safari browser directory and altering a configuration file in the mentioned directory to access the user’s information, such as visited pages, the device’s camera, microphone, and location, without the user’s agreement,” stated Jonathan Bar Or from the Microsoft Threat Intelligence team explained.
Microsoft mentioned that the enhanced protections are limited to Apple’s Safari browser and that they are collaborating with other major browser providers to further study the advantages of reinforcing local configuration files.
HM Surf comes after Microsoft’s identification of Apple macOS vulnerabilities like Shrootless, powerdir, Achilles, and Migraine that could empower malicious entities to bypass security measures.
Though TCC is a security framework that thwarts applications from accessing users’ personal details without their approval, the recently discovered flaw could allow attackers to circumvent this requirement and gain entry to location services, address book, camera, microphone, downloads directory, and others in an unauthorized manner.
The access is regulated by a series of privileges, with Apple’s own applications like Safari possessing the capability to completely avoid TCC using the “com.apple.private.tcc.allow” privilege.
While this grants Safari unrestricted access to sensitive permissions, it also integrates a new security mechanism known as Hardened Runtime to make it tougher to run arbitrary code within the web browser’s context.
When users visit a site requesting location or camera access for the first time, Safari prompts for approval through a TCC-like popup. These privileges are saved on a per-site basis in various files located in the “~/Library/Safari” directory.
The HM Surf exploit designed by Microsoft depends on performing the following actions –
- Altering the home directory of the existing user using the dscl utility, a step that does not necessitate TCC access in macOS Sonoma
- Editing the sensitive files (e.g., PerSitePreferences.db) within “~/Library/Safari” under the user’s actual home directory
- Reverting the home directory back to its original location gets Safari to use the modified files
- Launching Safari to load a web page that captures an image through the device’s camera and retrieves the location
The attack could be expanded to capture an entire camera stream or covertly record audio via the Mac’s microphone, Microsoft noted. Third-party web browsers do not face this issue as they lack the same private privileges as Apple apps.
Microsoft pointed out that it noticed suspicious activities linked to a known macOS adware threat called AdLoad potentially leveraging the vulnerability, emphasizing the critical need for users to install the latest updates.
“Since we were unable to witness the steps taken prior to the activity, we cannot definitively confirm if the AdLoad campaign is exploiting the HM surf flaw itself,” Bar Or commented. “Cybercriminals using a similar approach to propagate a widespread threat underscores the importance of protecting against attacks utilizing this method.”
About Author
