Ethical Hacking News
Microsoft has revealed a critical vulnerability in Apple's Transparency, Consent, and Control (TCC) framework on macOS that could enable hackers to bypass user privacy preferences and access sensitive data, including browsed pages, device camera, microphone, location, and other personal information without consent. This vulnerability highlights the importance of addressing emerging threats and ensuring robust cybersecurity measures to protect user data.
Microsoft discovered a serious vulnerability in Apple's TCC framework on macOS, dubbed HM Surf. The vulnerability allows hackers to bypass user privacy preferences and access sensitive data, including browsed pages, device camera, microphone, location, and other sensitive information. The bug exploits the "com.apple.private.tcc.allow" entitlement to allow malicious actors to sidestep security enforcements. The vulnerability was discovered by Microsoft as part of its ongoing efforts to monitor and address emerging threats in the cybersecurity landscape.
Microsoft has revealed a serious vulnerability in Apple's Transparency, Consent, and Control (TCC) framework on macOS, which could enable hackers to bypass user privacy preferences and access sensitive data. The shortcoming, dubbed HM Surf by the tech giant, was discovered by Microsoft and addressed by Apple as part of the latest update to macOS Sequoia 15.
The vulnerability involves removing TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain unauthorized access to user data, including browsed pages, device camera, microphone, location, and other sensitive information. This is done without the user's consent, highlighting a significant security breach that could have far-reaching consequences.
According to Jonathan Bar Or of the Microsoft Threat Intelligence team, HM Surf "involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user's data, including browsed pages, the device's camera, microphone, and location, without the user's consent." This vulnerability could be exploited by malicious actors to sidestep security enforcements and access sensitive information.
It is worth noting that TCC is a security framework designed to prevent apps from accessing users' personal information without their consent. However, the newly discovered bug exploits this requirement, allowing attackers to bypass TCC using the "com.apple.private.tcc.allow" entitlement. This entitlement allows Apple's own apps like Safari to access sensitive permissions freely, while also incorporating a new security mechanism called Hardened Runtime that makes it harder to execute arbitrary code in the context of the web browser.
The vulnerability was discovered by Microsoft as part of its ongoing efforts to monitor and address emerging threats in the cybersecurity landscape. The company has been tracking several Apple-related vulnerabilities in recent months, including Shrootless, powerdir, Achilles, and Migraine, which could enable malicious actors to sidestep security enforcements.
While the HM Surf vulnerability is specific to Safari browser on macOS, Microsoft has stated that it is working with other major browser vendors to further explore the benefits of hardening local configuration files. This indicates that the company recognizes the importance of addressing this vulnerability and ensuring the broader impact on user privacy and security.
In conclusion, the newly discovered macOS vulnerability known as HM Surf highlights a serious security issue that could be exploited by hackers to bypass user privacy controls and access sensitive data. The vulnerability's discovery serves as a reminder of the ongoing need for cybersecurity awareness and vigilance in protecting user information.
Related Information:
https://thehackernews.com/2024/10/microsoft-reveals-macos-vulnerability.html
https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
Published: Fri Oct 18 01:50:26 2024 by llama3.2 3B Q4_K_M
