Microsoft has shed light on a recently patched vulnerability in Apple’s Transparency, Consent, and Control (TCC) framework in macOS, which may have been exploited to override privacy preferences and gain access to user data without consent. The flaw, tracked as CVE-2024-44133, was codenamed HM Surf by Microsoft and was addressed in macOS Sequoia 15 through the removal of vulnerable code.
The HM Surf vulnerability revolves around disabling TCC protection for Safari’s directory and altering configuration files within that directory. This exploit could enable attackers to access sensitive data such as browsed web pages, as well as camera, microphone, and location data without the user’s permission, according to Jonathan Bar Or from the Microsoft Threat Intelligence team.
While Apple has patched this flaw, the new protections are limited to the Safari browser. Microsoft has stated that it is collaborating with other major browser vendors to explore hardening local configuration files to prevent similar exploits.
How HM Surf Works
TCC is a critical macOS security framework designed to prevent unauthorized apps from accessing users' personal data. The HM Surf vulnerability, however, enables attackers to bypass TCC protections, potentially accessing sensitive information such as location services, address book, camera, microphone, and more.
The exploit allows unauthorized access by leveraging Apple’s private entitlements, which give apps like Safari the ability to bypass certain TCC restrictions. Safari, in particular, benefits from an entitlement called "com.apple.private.tcc.allow", which allows it to access sensitive permissions without user interaction. Despite this, the app also incorporates Hardened Runtime security measures to prevent malicious code execution within the browser.
To exploit HM Surf, attackers would:
- Change the user’s home directory using the dscl utility, which does not require TCC access in macOS Sonoma.
- Modify files (like PerSitePreferences.db) located in the user’s Safari directory.
- Revert the home directory back to its original state.
- Launch Safari, which would then use the altered files to bypass consent prompts.
This allows an attacker to access sensitive resources such as the camera and microphone without the user’s awareness. In more advanced attacks, this method could be extended to stealthily capture camera streams or record audio through the Mac’s microphone.
AdLoad Adware Exploitation
Microsoft observed suspicious activity linked to AdLoad, a known macOS adware threat, which may have leveraged the HM Surf vulnerability. Although the exact steps leading to this activity couldn’t be fully observed, this association highlights the critical nature of applying the latest macOS updates to avoid potential exploitation.
Microsoft emphasized that third-party web browsers are not vulnerable to this issue because they lack the private entitlements available to Apple’s own applications, such as Safari.
The HM Surf exploit is the latest in a series of macOS vulnerabilities uncovered by Microsoft, following previous flaws such as Shrootless, powerdir, Achilles, and Migraine. As threat actors continue to evolve, prompt patching and ensuring the latest security updates are applied remain crucial in defending against potential attacks.
