Researchers at Microsoft discovered a new macOS vulnerability, “HM Surf” (CVE-2024-44133), which bypasses TCC protections, allowing unauthorized access to sensitive data like the camera and microphone. Patch now to stay protected. A vulnerability discovered by cybersecurity researchers at Microsoft Threat Intelligence in macOS allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology, granting unauthorized access to sensitive user data.
Researchers called “HM Surf” by researchers; researchers warned that active exploitation may occur. The vulnerability has been assigned CVE-2024-44133.[1]
The HM Surf vulnerability involves removing the TCC protection for the Safari browser directory and modifying a configuration file. This enables attackers to access users’ browsing history, camera, microphone, and location without their consent. The vulnerability is serious as it also allows attackers to gather and use sensitive information for malicious purposes.
How the Vulnerability Works—TCC technology prevents apps from accessing users’ personal information without their prior consent and knowledge. However, the HM Surf vulnerability exploits a weakness in the way TCC protects the Safari browser directory. By removing the TCC protection and modifying the configuration file, attackers can gain access to sensitive user data.
Microsoft’s blog post detected “potential exploitation” activity associated with Adload, a prevalent macOS malware (adware) family.
The company’s behavioral monitoring protections in Microsoft Defender for Endpoint have identified suspicious activity, including strange modification of the Preferences file through HM Surf or other methods.
President John Bambenek, President at Bambenek Consulting, urged users to install patches and save their data, especially their videos. “In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do, and the most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use,” John warned. “Security teams should update; however, it is important to have defenses that prevent malware from getting on the machines in the first place.”
https://wus-streaming-video-rt-microsoft-com.akamaized.net/v1/wus001/7836c520-833a-4620-a81d-9f7ad83af325/25f4074f-7cc9-4921-96be-9600cd8b0e73_6750.mp4
Apple’s Response—On 16 September 2024, Apple released a fix for the vulnerability as part of security updates for macOS Sequoia. The company has also introduced new APIs for App Group Containers that make System Integrity Policy (SIP) protect configuration files from being modified by an external attacker. MacOS users are urged to apply the security updates as soon as possible to protect themselves from this vulnerability. Additionally, users should be cautious when granting permissions to apps and ensure that they only allow access to sensitive information when necessary.
Install Patches ASAP! Identifying, reporting, and patching the HM Surf vulnerability highlights one key point: cross-platform threat intelligence sharing is essential for a secure cybersecurity future. Businesses and users should install the security patches released by Apple in September. For the future, enabling auto-updates on macOS devices is recommended so that such threats are automatically addressed with new security updates.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://hackread.com/hm-surf-macos-flaw-attackers-access-camera-mic/
Comments