Microsoft Threat Intelligence has uncovered a new macOS vulnerability, “HM Surf,” which can bypass Apple's Transparency, Consent, and Control (TCC) technology and enable unauthorized access to protected data.
Discovered by Microsoft researchers, the flaw allows attackers to manipulate configuration files in the Safari browser directory, gaining access to sensitive user data such as browsing history, camera, microphone, and location information. The vulnerability, now tracked as CVE-2024-44133, was disclosed to Apple and patched in macOS Sequoia's September 2024 security update.
“HM surfing” for data
The HM Surf vulnerability stems from an exploit that removes TCC protections on the Safari browser directory. By altering configuration files, particularly PerSitePreferences.db, attackers can override default permissions, accessing private data without user consent.
The vulnerability could be exploited to steal webcam footage, microphone recordings, and device location, all through seemingly legitimate web interactions. Microsoft's researchers demonstrated the technique, showcasing how malicious actors could silently capture snapshots, stream video, or track location by launching a webpage that uses compromised TCC permissions.
Apple's TCC technology is designed to safeguard macOS users by requiring explicit consent for apps to access sensitive services like location, camera, and microphone. Typically, users approve these permissions via popups. However, HM Surf bypasses these checks, leveraging Safari's powerful entitlements that allow it to access TCC-protected services by default. While third-party browsers such as Chrome and Firefox do not have similar entitlements, they remain vulnerable to other exploits.
Safari, as Apple's default browser, has extensive access to TCC services due to private entitlements, which allow it to bypass certain permission checks. This makes it a prime target for this type of exploitation. Other major browsers like Chrome and Firefox do not share these same privileges, so the attack isn't applicable there.
Protection measures
Apple's September patch has closed the gap on this vulnerability, but the risk remains for users who have yet to update. Microsoft urges all macOS users to install the latest updates and leverage endpoint protection to detect any suspicious behavior associated with this vulnerability. Specifically, the firm noted that its Defender for Endpoint suite is now capable of detecting HM Surf exploitation. Ultimately, macOS users may consider using other browsers besides Safari that are not vulnerable to CVE-2024-44133.
