Microsoft Uncovers ‘HM Surf’ Vulnerability in macOS TCC Framework

October 18, 2024

Microsoft has identified a vulnerability in Apple's Transparency, Consent, and Control (TCC) framework on macOS, which is designed to safeguard user privacy by controlling how applications access sensitive data and system resources. Tracked as CVE-2024-44133 and code-named 'HM Surf', this flaw could potentially allow threat actors to bypass privacy settings and gain access to user data.

The HM Surf vulnerability specifically impacts Safari, Apple's web browser, by removing its TCC protection. This would enable unauthorized access to user data, including browsing history, camera, microphone, and location information without user consent. Microsoft's advisory states, “The vulnerability, which we refer to as 'HM Surf', involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.”

Apple has addressed this vulnerability with the release of macOS Sequoia 15, where the new TCC protections are exclusively used by Safari. Microsoft has also reported this issue to other browser vendors and is aiding them in exploring the advantages of strengthening local configuration files.

The TCC framework on macOS requires applications to obtain explicit user consent before accessing sensitive resources such as contacts, photos, or location. TCC works in conjunction with entitlements, which are capabilities that apps require to support specific functions. While developers can utilize a range of entitlements, the most potent ones are reserved for Apple’s own apps and system binaries.

Apple’s TCC framework enables apps with the 'com.apple.private.tcc.allow' entitlement, like Safari, to bypass TCC checks for specified services. Microsoft highlighted that Safari can bypass TCC checks, permitting it to access sensitive services like the address book, camera, and microphone without typical access restrictions. Safari also uses Apple’s Hardened Runtime to prevent arbitrary code execution. This Hardened Runtime employs stringent library-validation, ensuring only libraries signed by the same Team ID are loaded.

The HM Surf exploit demonstrated by Microsoft to bypass Safari protections involves a series of steps. Microsoft clarifies that third-party browsers aren't affected as they lack Apple’s private entitlements. Microsoft experts have also warned of suspicious activity potentially linked to the exploitation of this vulnerability to deploy macOS adware AdLoad. The report concludes, “Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the Adload campaign is exploiting the HM surf vulnerability itself. Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.”

Latest News

• Iran's APT34 Ramps Up Espionage Using MS Exchange Servers
• Iranian Cybercriminals Act as Brokers to Sell Access to Critical Infrastructure
• Rise in Zero-Day Exploits: A Growing Threat in 2023
• Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs
• North Korean Group ScarCruft Exploits Windows Zero-Day to Disseminate RokRAT Malware