New macOS vulnerability allows unauthorized data access

Image via Unsplash

A new macOS vulnerability could allow a malicious actor to evade an operating system’s Transparency, Consent, and Control (TCC) technology, providing the attacker with unauthorized access to a legitimate user’s protected information. The vulnerability, dubbed HM Surf, removes TCC protection in the directory for the Safari browser. It then alters a configuration file in this directory, allowing the malicious actor to gain access to the user’s information. The information accessed may include:

Browsed pages
Device camera and microphone
Device location

Security leaders weigh in

Ms. Xen Madden, Cybersecurity Expert at Menlo Security:

“The macOS "HM Surf" vulnerability (CVE-2024-44133) is a serious concern because of the unauthorized access it gives. But by the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it. For large companies that have software to do behavioral detections, this won't have any real effect as they will be protected against this. However, security teams should prioritize updating all macOS devices, actively monitor for suspicious activity, and leverage behavioral-based detection tools to identify and respond to potential threats.”

John Bambenek, President at Bambenek Consulting:

“In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do. The most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use. Security teams should update, however, it is important to have defenses in place that prevent malware getting on the machines in the first place.”

Mr. Balazs Greksza, Threat Response Lead at Ontinue:

“The vulnerability is specific to how the Safari browser addresses Transparency, Consent, and Control (TCC) permissions. These TCC details are stored in the user’s “~/Library/Safari” folder, in sqlite3 database PerSitePreferences.db, (which any user can interrogate with simple commands like:

sqlite3 PerSitePreferences.db

sqlite> SELECT * FROM preference_values; )

“In addition, optionally the UserMediaPermissions.plist file(if exists) may contain further configuration details. Defenders can certainly check whether these have been modified and detect the directory change using the DSCL (Directory Service command line) utility as well.

“The exploit claims to use the DSCL tool to modify the home folder which can read without specific permissions, however will require Sudo privileges to modify settings on most Macs, therefore, we believe that the exploit may not be easily and universally abused.”

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.