CVE-2024-44133: Microsoft Uncovers macOS Security Hole in TCC Framework

Microsoft has discovered and disclosed a vulnerability in Apple’s Transparency, Consent, and Control (TCC) framework used in macOS. The vulnerability, codenamed HM Surf and identified as CVE-2024-44133, allows the circumvention of user privacy settings and unauthorized access to sensitive data.

The issue was addressed in the macOS Sequoia 15 update by removing the vulnerable code. The vulnerability enabled attackers to gain access to confidential information, including browsing history, as well as usage of the camera, microphone, and device location without user consent. This was achieved by disabling TCC protection for the Safari directory and altering configuration files.

Microsoft reported that the vulnerability affects only Safari, and the company is collaborating with other browser vendors to strengthen the protection of local configuration files.

Previously, Microsoft had discovered similar macOS vulnerabilities, such as Shrootless, powerdir, Achilles, and Migraine, which also allowed security bypasses. In the case of HM Surf, the attack involved altering the user’s home directory and modifying sensitive files, such as “PerSitePreferences.db,” which allowed Safari to use spoofed data upon launch.

Safari has unique privileges that permit it to bypass TCC via “com.apple.private.tcc.allow” entitlements, though it also employs the Hardened Runtime mechanism, which makes executing arbitrary code more difficult. However, as before, when first requesting access to the camera or geolocation, the browser still prompts the user with a pop-up for confirmation.

Microsoft noted that this vulnerability was potentially exploited in a known adware campaign involving AdLoad. However, due to the lack of complete details on the attack methods, experts could not confirm whether the HM Surf exploit was definitively used. Nevertheless, such attacks highlight the critical importance of timely security updates.