A new macOS vulnerability could allow a malicious actor to evade an operating system’s Transparency, Consent, and Control (TCC) technology, providing the attacker with unauthorized access to a legitimate user’s protected information. The vulnerability, dubbed HM Surf, removes TCC protection in the directory for the Safari browser. It then alters a configuration file in this directory, allowing the malicious actor to gain access to the user’s information. The information accessed may include:
- Browsed pages
- Device camera and microphone
- Device location
Security leaders weigh in
Ms. Xen Madden, Cybersecurity Expert at Menlo Security:
“The macOS “HM Surf” vulnerability (CVE-2024-44133) is a serious concern because of the unauthorized access it gives. But by the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it. For large companies that have software to do behavioral detections, this won’t have any real effect as they will be protected against this. However, security teams should prioritize updating all macOS devices, actively monitor for suspicious activity, and leverage behavioral-based detection tools to identify and respond to potential threats.”
John Bambenek, President at Bambenek Consulting:
“In essence, this is a privilege escalation vulnerability that requires executing malicious instructions on the victim machine, which running malware could do. The most obvious risk here is to target home users to try to capture video of a victim in a compromising position for later sextortion use. Security teams should update, however, it is important to have defenses in place that prevent malware getting on the machines in the first place.”
Mr. Balazs Greksza, Threat Response Lead at Ontinue:
“The vulnerability is specific to how the Safari browser addresses Transparency, Consent, and Control (TCC) permissions. These TCC details are stored in the user’s “~/Library/Safari” folder, in sqlite3 database PerSitePreferences.db, (which any user can interrogate with simple commands like:
sqlite3 PerSitePreferences.db
sqlite> SELECT * FROM preference_values; )
“In addition, optionally the UserMediaPermissions.plist file(if exists) may contain further configuration details. Defenders can certainly check whether these have been modified and detect the directory change using the DSCL (Directory Service command line) utility as well.
“The exploit claims to use the DSCL tool to modify the home folder which can read without specific permissions, however will require Sudo privileges to modify settings on most Macs, therefore, we believe that the exploit may not be easily and universally abused.”