Microsoft has published details about a macOS vulnerability that could have allowed access to sensitive browser data in Apple’s Safari – including Access to camera, microphone, and other informationCorporate and educational customers whose devices are managed using mobile device management (MDM) were affected, but not regular users.
Advertisement
The fix is only in Sequoia
carries error CVE ID 2024-44133 And it was fixed as part of the release of macOS 15 Sequoia on September 16 – but not in macOS 14.7, which was released at the same time, for reasons that are still unclear. Apple itself describes the bug this way: “On devices managed through MDM, an app may be able to bypass certain privacy settings.” All current Macs are affected: iMac from 2019, iMac Pro from 2017, Mac Studio from 2022, Mac Pro from 2019, Mac Mini from 2018, MacBook Air from 2020, and MacBook Pro from 2018.
The flaw, which Microsoft’s security team has dubbed “HM Surf”, affects the way macOS provides access to sensitive system functions, as part of the TCC (Transparency, Consent, and Control) technology. As Microsoft has noted, Safari maintains various local files that control TCC policy for the browser. Among other things, they record when you have given a website access to the camera or microphone.
Changed home directory with dscl command
Microsoft researchers managed to replace TCC files by briefly changing the home directory, which really shouldn’t be possible with TCC. They used command line tools DSCL One. It was possible to change the Safari TCC configuration after changing the home directory; The home directory was then reset so that the attacker website could read the changed configuration to provide access to the camera or microphone.
It’s not clear if an attack has already occurred, but the makers of the adware “Adload” are interested in the type of exploit, according to Microsoft researchers. Since the attack was originally only possible on Macs controlled through MDM, it would be unlikely to be widespread. Therefore the threat has been rated with only 5.5 points out of a possible 10 points in the Common Vulnerability Scoring System (CVSS). Apple resolved the issue by “removing the unsafe code.”
(B.Sc.)
