Introduction

Microsoft has identified a critical security vulnerability in macOS [9], designated as CVE-2024-44133 and codenamed “HM Surf.” This vulnerability compromises the Transparency [11], Consent [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and Control (TCC) framework [2] [3] [7] [9] [11], particularly affecting the Safari browser on devices managed through Mobile Device Management (MDM). It allows unauthorized access to sensitive user data by bypassing privacy preferences [3] [11].

Description

Microsoft has disclosed a significant security vulnerability in macOS [2] [9], tracked as CVE-2024-44133 and codenamed “HM Surf.” This flaw specifically affects the Transparency [2] [9] [11], Consent [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and Control (TCC) framework [2] [3] [7] [9] [11], which is essential for user privacy [2], and targets the Safari browser on Mobile Device Management (MDM) managed devices. It allows attackers to bypass user privacy preferences and gain unauthorized access to sensitive user data, including browsing history [4] [5] [6] [7] [9], location [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], camera [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and microphone information [2] [6], without user consent [2] [3] [4] [6] [8] [10] [11]. The vulnerability arises from the manipulation of TCC protections within the Safari browser directory and local configuration files [2], particularly through modifications to the PerSitePreferences.db file and the home directory of the current user using the dscl utility, enabling attackers to circumvent established security measures [2].

The exploit leverages Safari’s special privileges within macOS [2], specifically the entitlement “com.apple.private.tcc.allow,” which allows it to bypass TCC checks on a per-website basis [7], granting permissions to malicious websites without triggering user consent prompts [7]. Despite the implementation of a Hardened Runtime mechanism to prevent arbitrary code execution [2], the exploit’s methodology has been outlined by Microsoft’s research team [2]. Attackers can exploit this vulnerability by removing TCC protection for the Safari browser directory and altering sensitive files in the ~/Library/Safari directory, which allows them to manipulate app settings without user consent. This exploitation technique can lead to unauthorized snapshots via the camera and streaming of audio without user awareness [9].

The CVE-2024-44133 vulnerability has a medium severity rating of 5.5 in the Common Vulnerability Scoring System (CVSS) [7]. Microsoft has detected suspicious activity linked to Adload [5] [9] [10], a known macOS adware family [7] [9], which may have utilized similar techniques to access user data [7]. Although there is no direct evidence that Adload exploits this vulnerability [8], anomalous behavior detected by Microsoft Defender for Endpoint suggests possible exploitation avenues, including modifications to browser configuration files to gain microphone and camera access for specific URLs.

To mitigate this vulnerability, Apple has released a fix in the macOS Sequoia 15 security update on September 16, 2024, which removes the vulnerable code and enhances security measures for Safari [9]. This update is applicable to various Mac models, including Mac Studio (2022 and later) [10], iMac (2019 and later) [10], Mac Pro (2019 and later) [10], Mac Mini (2018 and later) [10], MacBook Air (2020 and later) [10], MacBook Pro (2018 and later) [10], and iMac Pro (2017 and later) [10]. Cybersecurity experts strongly advise all macOS users, particularly those in enterprise environments utilizing mobile device management (MDM) setups [1], to apply these updates promptly [1] [3] [5] [10]. This underscores the critical need for robust protection against such vulnerabilities [7], as the HM Surf exploit can potentially enable attackers to capture video and audio from the device. Notably, third-party browsers like Google Chrome [1] [11], Mozilla Firefox [1] [11], and Microsoft Edge are not affected due to the absence of similar private entitlements [3], which require user permission for access to sensitive functions [1]. Microsoft is also collaborating with other major browser vendors [1] [6] [8] [9], including Google and Mozilla [8], to enhance security measures related to local configuration files and implement protective measures.

Conclusion

The CVE-2024-44133 vulnerability poses a significant risk to user privacy by allowing unauthorized access to sensitive data. The release of the macOS Sequoia 15 security update by Apple is a crucial step in mitigating this threat. Users [1] [3] [5] [6] [8] [9] [10], especially those in enterprise settings, are urged to apply these updates immediately to safeguard their devices. The collaboration between Microsoft and other major browser vendors highlights the ongoing efforts to strengthen security measures and prevent similar vulnerabilities in the future.

References

[1] https://www.forbes.com/sites/zakdoffman/2024/10/20/microsoft-security-warning-for-apple-macbook-users-asmacbook-pro-m4-nearly-here/
[2] https://zerosecurity.org/apple-patches-critical-security-flaw-cve-2024-44133-macos-safari/14889/
[3] https://thehackernews.com/2024/10/microsoft-reveals-macos-vulnerability.html
[4] https://www.cybersecurity-review.com/new-macos-vulnerability-hm-surf-could-lead-to-unauthorized-data-access/
[5] https://www.infosecurity-magazine.com/news/microsoft-macos-vulnerability/
[6] https://www.techworm.net/2024/10/macos-vulnerability-allow-unauthorized-data-access.html
[7] https://www.darkreading.com/vulnerabilities-threats/macos-safari-exploit-camera-mic-browser-data
[8] https://securityonline.info/hm-surf-cve-2024-44133-macos-flaw-exposing-cameras-and-microphones-to-hackers-poc-published/
[9] https://www.blackhatethicalhacking.com/news/apple-fixes-critical-hm-surf-flaw-macos-safari-exploit-allows-full-access-to-user-data/
[10] https://www.malwarebytes.com/blog/news/2024/10/microsoft-reveals-details-about-hm-surf-vulnerability-in-macos
[11] https://www.tomsguide.com/computing/online-security/microsoft-discovers-macos-vulnerability-that-could-expose-your-data-what-we-know