Microsoft recently revealed details about a security flaw in the macOS that affected the Transparency, Consent, and Control framework, which could be exploited to sidestep your privacy preferences and access data within the Safari browser.
Detailed in a Microsoft Threat Intelligence blog post, the flaw was known as CVE-2024-44133 but given the Pokemon-esque codename HM Surf by the Microsoft team. The flaw has been patched by Apple in a macOS Sequoia 15 update, where the company wrote that the issue was resolved by "removing the vulnerable code."
According to Microsoft's Jonathan Bar Or, HM Surf "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user's data, including browsed pages, the device's camera, microphone, and location, without the user's consent."
Microsoft wrote in the post that the Sequoia 15 update only protects Apple's Safari browser. However, it was noted that browsers like Google Chrome and Mozilla Firefox "do not have the same private entitlements as Apple applications," so they can't bypass the TCC checks. That means that once people approve TCC checks, it is up to the app to maintain access to the privacy database.
TCC works by preventing apps from accessing your personal data or browser history. The since-patched vulnerability would allow bad actors to get around the TCC check and access a multitude of data, including your camera, microphone, downloads director and others.
Microsoft explained how they got to the exploit:
- Change the home directory of the current user with the dscl utility, which does not require TCC access in Sonoma (At this point, the ~/Library/Safari directory is no longer TCC protected).
- Modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db).
- Change the home directory again so Safari uses the now modified files.
- Run Safari to open a webpage that takes a camera snapshot and trace device location.
HM Surf is the latest in several Apple macOS flaws discovered by Microsoft, including Achilles, Migraine, powerdir and Shrootless, that potentially allow bad actors to get around security checks.
The blog post also noted suspicious activity with a macOS adware threat called AdLoad that exploits the flaw.
"Since we weren't able to observe the steps taken leading to the activity, we can't fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself," Bar Or wrote. "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."
You should update to the latest security patch as soon as possible.
More from Tom's Guide
