Microsoft researchers have uncovered a worrying security flaw in macOS, impacting users running Safari on devices managed by businesses or schools. The flaw, referred to as “HM Surf,” could allow unauthorized access to system data, including the camera and microphone, without users even knowing. This bug didn’t affect regular users but mainly hit those whose devices were controlled through Mobile Device Management (MDM) systems.
Vulnerability Fix in macOS 15 Sequoia
Apple responded by releasing a patch for the problem in macOS 15 Sequoia. However, users on older versions like macOS 14.7 haven’t been offered the same fix, which raised questions about their exposure. Microsoft flagged the vulnerability using CVE-2024-44133, warning that attackers could manipulate certain privacy controls within the Safari web browser to bypass Apple’s standard security measures. By altering local configuration files, the Safari browser’s security settings could be manipulated, opening doors for more malicious actions.
Safari, like other macOS applications, relies on Apple’s Transparency, Consent, and Control (TCC) system to safeguard private data, like access to the camera or location. The flaw targeted this very system, allowing attackers to get around the typical pop-up permission requests that users expect when a website wants to access sensitive data. For example, attackers could trick the system into granting access to the camera or microphone without user approval.
How Hackers Could Exploit Safari’s Config Files
The way this attack worked was pretty sneaky. Hackers changed the user’s home directory temporarily using a command-line tool called dscl, which let them edit Safari’s permissions stored in local files. These files track what websites have permission to access different services, like the camera or microphone. After modifying the files, the hacker would switch the home directory back, making it difficult for users or administrators to catch the change. This could enable a website to spy on users through the camera or listen via the microphone without triggering any warning.
Adload Malware Tied to Exploit Interest
Interestingly, the researchers found that Adload, a well-known adware targeting macOS, had shown interest in this type of vulnerability. Though no widespread use of this exploit has been confirmed, the fact that malware developers were looking into it highlights the potential risk. Adload’s usual tricks involve injecting ads and messing with browser settings, but if this vulnerability had been used, the impact could have been far worse.
Safari has more access to system functions than most apps, due to special permissions granted by Apple itself. These privileges, known as entitlements, allow Safari to access services like the camera and microphone without needing to go through normal security checks. This setup is meant to make Safari more secure, but it also created an opportunity for exploitation. Hackers were able to take advantage of Safari’s privileged position within the system to bypass security in ways that other browsers like Chrome or Firefox could not.
Microsoft took steps to ensure this exploit didn’t fly under the radar by adding specific detection capabilities to its Defender for Endpoint security software. This system now watches for unusual behavior, such as changes to the Safari permissions file or suspicious actions in user home directories. Microsoft urged users to update their macOS systems to the latest version to avoid falling victim to this type of attack.
New Security Measures and Third-Party Browsers
While this vulnerability only affected Safari, other browsers were examined to see if they were also at risk. Fortunately, third-party browsers like Chrome and Firefox don’t have the same high-level access to the system, meaning they were less susceptible to this particular attack. When these browsers try to access the camera or microphone for the first time, a permission prompt always appears, giving users control over whether to allow it.
Although this flaw was dangerous, its impact was limited by the fact that only MDM-managed Macs were vulnerable. Most personal Macs weren’t affected. Apple has since removed the vulnerable code in macOS 15 Sequoia, making it harder for this kind of attack to happen again.
Last Updated on November 7, 2024 2:25 pm CET
