CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft: macOS Vulnerability Potentially Exploited in Adware Attacks

The Adload macOS adware potentially exploits a privacy bypass vulnerability resolved in Sequoia 15 last month.

Microsoft on Thursday warned of a recently patched macOS vulnerability potentially being exploited in adware attacks.

The issue, tracked as CVE-2024-44133, allows attackers to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and access user data.

Apple addressed the bug in macOS Sequoia 15 in mid-September by removing the vulnerable code, noting that only MDM-managed devices are affected.

Exploitation of the flaw, Microsoft says, “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.”

According to Microsoft, which identified the security defect, only Safari is affected, as third-party browsers do not have the same private entitlements as Apple’s application and cannot bypass the protection checks.

TCC prevents applications from accessing personal information without the user’s consent and knowledge, but some Apple applications, such as Safari, have special privileges, named private entitlements, that may allow them to completely bypass TCC checks for certain services.

The browser, for example, is entitled to access the address book, camera, microphone, and other features, and Apple implemented a hardened runtime to ensure that only signed libraries can be loaded.

“By default, when one browses a website that requires access to the camera or the microphone, a TCC-like popup still appears, which means Safari maintains its own TCC policy. That makes sense, since Safari must maintain access records on a per-origin (website) basis,” Microsoft notes.

Advertisement. Scroll to continue reading.

Furthermore, Safari’s configuration is maintained in various files, under the current user’s home directory, which is protected by TCC to prevent malicious modifications.

However, by changing the home directory using the dscl utility (which does not require TCC access in macOS Sonoma), modifying Safari’s files, and changing the home directory back to the original, Microsoft had the browser load a page that took a camera snapshot and recorded the device location.

An attacker could exploit the flaw, dubbed HM Surf, to take snapshots, save camera streams, record the microphone, stream audio, and access the device’s location, and can prevent detection by running Safari in a very small window, Microsoft notes.

The tech giant says it has observed activity associated with Adload, a macOS adware family that can provide attackers with the ability to download and install additional payloads, likely attempting to exploit CVE-2024-44133 and bypass TCC.

Adload was seen harvesting information such as macOS version, adding a URL to the microphone and camera approved lists (likely to bypass TCC), and downloading and executing a second-stage script.

“Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique,” Microsoft notes.

Related: macOS Sequoia Update Fixes Security Software Compatibility Issues

Related: Vulnerability Allowed Eavesdropping via Sonos Smart Speakers

Related: Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping

Related: Details of Twice-Patched Windows RDP Vulnerability Disclosed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.