Photo credit: www.darkreading.com
Recent investigations have revealed a significant security vulnerability in the Safari browser on macOS devices, which may have left users susceptible to unauthorized monitoring and malware attacks.
This vulnerability is facilitated by the specific permissions granted by Apple to its own applications, including Safari. These privileges enable a potential attacker to access critical configuration files related to the app. Ultimately, this flaw allows for circumvention of the Transparency, Consent, and Control (TCC) security measures that MacBooks implement to protect sensitive user information. Officially documented as CVE-2024-44133, this vulnerability has been assigned a medium severity rating of 5.5 according to the Common Vulnerability Scoring System (CVSS).
Researchers from Microsoft have identified their method of exploiting CVE-2024-44133 as “HM Surf.” Their findings indicate that this exploit could allow unauthorized access to a user’s browsing history, camera, microphone, and location services. Alarmingly, emerging reports suggest that at least one adware program may have already taken advantage of this vulnerability, indicating that the threat is not purely speculative.
Apple has since addressed CVE-2024-44133 with a patch included in the macOS Sequoia update released on September 16.
Cybersecurity expert Xen Madden of Menlo Security commented on the seriousness of the vulnerability, highlighting the unauthorized access consequences it presents. She stressed the urgency for organizations to ensure their macOS devices are up to date, although she noted that many Endpoint Detection and Response (EDR) tools are equipped to detect this particular threat, particularly with solutions like Microsoft Defender.
Exploiting HM Surf
TCC is integral to how Apple devices manage access to sensitive features and data. For instance, when an app attempts to use the camera, the TCC framework prompts the user for consent. However, certain Apple applications possess “entitlements,” special permissions that allow them to bypass the standard consent process.
The heart of HM Surf’s functionality lies in Safari’s entitlement known as “com.apple.private.tcc.allow.” This entitlement permits Safari to bypass TCC protections at the level of individual websites rather than the application as a whole. In essence, while Safari can access sensitive features, websites accessed through it typically cannot.
The specific configurations governing these TCC exceptions are saved in various files located in the ~/Library/Safari directory of the user’s home folder. Although these files are guarded by TCC, an attacker could exploit the directory service command line utility (DSCL) to circumvent these defenses. By temporarily altering the home directory’s protective cover, an attacker could modify Safari’s per-origin TCC configurations to grant permissions to a malicious site. Once restored, visiting this crafted site could enable data capture without any user awareness.
Was CVE-2024-44133 Already Exploited?
In their efforts to understand the exploit better, Microsoft began monitoring for suspicious activities in customer environments. They identified a program that appeared to manipulate Chrome’s settings, which included granting camera and microphone permissions to a specific URL.
The program in question is a known piece of macOS adware, “AdLoad,” which is notorious for hijacking browser sessions and inundating users with unwanted ads. AdLoad is also capable of harvesting sensitive user information and transforming infected devices into bots for larger-scale attacks.
While Microsoft observed functionalities that seemed to mimic HM Surf techniques in AdLoad, they clarified that without observing the steps leading up to these findings, a definitive link to the HM Surf vulnerability could not be established. However, they emphasized that even the potential misuse of a similar approach underscores the necessity of implementing robust security measures to guard against such techniques.
Inquiries have been made to both Apple and Microsoft for further insights regarding the implications of this vulnerability and its exploitation.
Source
www.darkreading.com