Microsoft has issued a warning to millions of Apple users about a dangerous hacking threat that could compromise their private data. The threat, known as “HM Surf,” has reportedly been exploited already, giving attackers unauthorized access to a user’s protected data, including browsed webpages, the device’s camera, microphone, and location, all without the user’s knowledge. The hack targets macOS users, particularly those whose devices are managed via a mobile device management (MDM) setup, making it a greater risk for enterprise users.
The exploit works by bypassing the device’s Transparency, Consent, and Control (TCC) protection within Safari. This enables Safari to access device data illicitly and deliver it to attackers. “We shared our findings with Apple,” Microsoft said, leading to the release of a fix now identified as CVE-2024-44133 as part of security updates for macOS Sequoia.
All macOS users are urged to install this update immediately. Microsoft also noted that, currently, only Safari uses the new protections afforded by TCC. The company is now collaborating with other major browser vendors to investigate the benefits of hardening local configuration files.
The security researchers found that the relevant Safari config files were stored in a user’s home directory, which could be altered to remove TCC protections. This left everything open to attack despite Safari’s own permission list.
Microsoft alert: urgent Safari exploit fix
TCC is designed to protect your private data from apps running on your machine, including services such as location services, camera, microphone, and downloads directory, without prior consent and knowledge. When an app requires access, a pop-up should ask for specific permission. Microsoft explained that “Apple reserves some entitlements to their own applications, which are known as private entitlements.
Safari, the default browser in macOS, has very powerful TCC entitlements.” These entitlements grant Safari access to sensitive device functions, thus bypassing normal TCC access checks for those services. In a real scenario, an attacker could do stealthy things, including saving an entire camera stream, recording the microphone, streaming it to another server, or getting access to the device’s location. Other browsers like Google Chrome, Mozilla Firefox, or Microsoft Edge do not have the same private entitlements as Apple applications, meaning they cannot bypass TCC checks.
If these browsers need access to such functions, users will see a pop-up asking for permission. Apple has since strengthened Safari to prevent the modification of configuration files, and Microsoft is collaborating with other major browser vendors to investigate the benefits of hardening local configuration files. While Chromium and Firefox have yet to adopt the new APIs, Chromium is moving towards using os_crypt, which solves the attack in a different way.
Users are strongly encouraged to apply the latest security updates to their macOS devices to mitigate the risk of this hacking threat. Organizations and individuals are advised to implement security updates promptly and use behavior monitoring protections to guard against such vulnerabilities effectively.