Apple Fixes Critical HM Surf Flaw – macOS Safari Exploit Allows Full Access to User Data

Microsoft Uncovers Major macOS Flaw in Safari

Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to bypass a user’s privacy preferences and access sensitive data.

The vulnerability, codenamed HM Surf by Microsoft, is tracked as CVE-2024-44133 and has been addressed by Apple in macOS Sequoia 15 by removing the vulnerable code.

How the HM Surf Vulnerability Works

HM Surf “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent,” according to Jonathan Bar Or of the Microsoft Threat Intelligence team.

The vulnerability specifically affects Apple’s Safari browser by allowing attackers to modify local configuration files that grant permissions to sensitive resources. The new security protections implemented by Apple apply only to Safari, though Microsoft is collaborating with other browser vendors to extend these protections.

What Is TCC and How It Was Bypassed

TCC (Transparency, Consent, and Control) is a security framework in macOS that manages how apps access users’ personal information, requiring explicit consent. However, the HM Surf vulnerability enables attackers to bypass TCC controls and access sensitive data such as location services, address book, camera, microphone, and downloads.

Apple’s Safari browser has special entitlements, like “com.apple.private.tcc.allow”, that let it bypass TCC protections. This feature, combined with vulnerabilities in how configuration files are handled, allows attackers to exploit Safari and perform malicious actions without user awareness.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Exploitation Technique of HM Surf

The HM Surf exploit follows a series of steps to gain unauthorized access:

1. Modify the home directory of the current user using the dscl utility. This does not require TCC access on macOS Sonoma.
2. Alter sensitive files (e.g., PerSitePreferences.db) within the user’s real home directory, specifically files that Safari uses to manage privacy preferences.
3. Revert the home directory back to its original state, causing Safari to use the now-modified configuration files.
4. Launch Safari and open a web page that exploits the altered files to access the device’s camera, microphone, or location without triggering the normal consent popups.

By doing this, attackers can capture a snapshot via the device’s camera, access location information, and potentially stream camera or microphone data without the user’s knowledge.

Known Exploitation and Adware Campaigns

Microsoft has observed suspicious activity linked to AdLoad, a known macOS adware, that could be exploiting the HM Surf vulnerability. While Microsoft hasn’t confirmed that AdLoad specifically uses HM Surf, the similar behavior observed makes it important for users to apply the latest security patches.

“Since we weren’t able to observe the steps leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM Surf vulnerability itself,” Bar Or said. “However, attackers using a similar method to deploy a prevalent threat highlights the importance of having protection against attacks using this technique.”

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link