Microsoft recently revealed details about a security flaw in the macOS that affected the Transparency, Consent, and Control framework, which could be exploited to sidestep your privacy preferences and access data within the Safari browser.
Detailed in a Microsoft Threat Intelligence blog post, the flaw was known as CVE-2024-44133 but given the Pokemon-esque codename HM Surf by the Microsoft team. The flaw has been patched by Apple in a macOS Sequoia 15 update, where the company wrote that the issue was resolved by "removing the vulnerable code."
- Change the home directory of the current user with the dscl utility, which does not require TCC access in Sonoma (At this point, the ~/Library/Safari directory is no longer TCC protected).
- Modify the sensitive files under the user’s real home directory (such as /Users/$USER/Library/Safari/PerSitePreferences.db).
- Change the home directory again so Safari uses the now modified files.
- Run Safari to open a webpage that takes a camera snapshot and trace device location.
HM Surf is the latest in several Apple macOS flaws discovered by Microsoft, including Achilles, Migraine, powerdir and Shrootless, that potentially allow bad actors to get around security checks.
The blog post also noted suspicious activity with a macOS adware threat called AdLoad that exploits the flaw.
"Since we weren't able to observe the steps taken leading to the activity, we can't fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself," Bar Or wrote. "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."
You should update to the latest security patch as soon as possible.
More from Tom's Guide
