New warning affects millions of Apple users
This new threat is real. Microsoft warns that this has likely been exploited, giving attackers “unauthorized access to users’ protected data.” And that data includes “the web pages you view, your device’s camera, microphone, and location” without your knowledge.
The new hack, dubbed “HM Surf,” affects macOS users whose devices are centrally controlled through a mobile device management (MDM) setup. Therefore, this is a risk for enterprise users rather than home users. It works by forcing you to bypass the device’s TCC (Transparency, Consent, and Control) protections within Safari, essentially allowing Safari to access device data it shouldn’t have access to and Deliver the data to the attacker. “We have shared our findings with Apple,” Microsoft said, and the iDevice maker has released a fix. Security updates for macOS Sequoiawill be released on September 16, 2024. Suffice it to say, all macOS users should make sure to apply this update to their machines.
Microsoft also notes that “Currently, only Safari uses the new protections provided by the TCC; [we are] We are currently working with other major browser vendors to explore the benefits of hardening local configuration files. ” Security researchers discovered that related Safari configuration files are stored in users’ home directories and can potentially be modified to remove TCC protection. So while Safari also requests permission to access such services, it maintains its own allow list, bypassing TCC in this way and leaving everything open to attack.
“We recommend that macOS users apply these security updates as soon as possible,” Microsoft said. TCC is designed to protect personal data from apps running on your machine that “include services such as location services, camera, microphone, download directory, etc. without your prior consent or knowledge.” If an app requires access, a pop-up will appear asking for specific permissions.
What you see when you implement TCC protection
As Microsoft explains, the problem is that “Apple reserves some entitlements for its applications, known as private entitlements…Safari, the default browser on macOS, has a very strong TCC. That means you are qualified.” These rights include access to cameras, microphones and screens, as well as large amounts of personal data.
Microsoft explains that Safari’s access to these sensitive device features will be “completely bypassed.” [normal] TCC performs access checks on these services,” and warns, “In a real-world scenario, an attacker could do something like the following: “Save the entire camera stream, record the microphone, and ‘Location,’ to stream or upload to another server and gain access to your device.[and] Start Safari in a very small window to avoid drawing attention. ”
Users of other browsers on Apple devices are not given the insider pass and are not at the same risk. “Third-party browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge do not have the same private privileges as Apple applications. This means that such applications cannot bypass TCC checks.” Other browsers do the same If you want to access a feature, a pop-up will appear asking for permission.
Apple is currently hardening Safari to prevent changes to these preference files. And Microsoft says it is currently “working with other major browser vendors to explore the benefits of hardening local configuration files.” Chromium and Firefox have not yet adopted the new API, but Chromium has moved to using os_crypt, which solves the attack in a different way. ”
I’ve reached out to Apple for comment on Microsoft’s report.
