MacOS Safari HM Surf Exploit Exposes Camera, Mic, Browser Data

  /     /     /  
Publicated : 23/11/2024   Category : security


MacOS Safari HM Surf Exploit Exposes Camera, Mic, Browser Data


Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.



A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.
The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the
Transparency, Consent, and Control (TCC)
security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a medium severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).
Researchers from Microsoft have named their exploit of CVE-2024-44133
HM Surf
. In a new blog post, they described how HM Surf could open the door to a users browsing data, camera, and microphone, as well as their devices location, among other things. And the threat doesnt only appear to be theoretical: Theres already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.
Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.
Its a serious concern, because of the unauthorized access it gives, says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it.
In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.
Unless your app has a special entitlement. Some of Apples proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safaris entitlement, com.apple.private.tcc.allow, which allows it to bypass TCC at an app level, and apply it only on a per website (per origin) basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.
Safaris configuration — including the rules that define per-origin TCC protections — are stored in various files under
~/Library/Safari
, within the users home directory. Manipulating these files could provide a path to
TCC bypass
, though the home directory is itself TCC protected.
Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding
~/Library/Safari
. Now they could modify Safaris per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.
After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what theyd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.
It was a program digging into the victims Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.
This program, it turned out, was a well-known macOS adware program called
AdLoad
. AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.
In its blog post, Microsoft noted that though AdLoads activity closely resembled the HM Surf technique, Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself. Still, it added, Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.
Dark Reading has contacted both Apple and Microsoft for further comment on this story.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MacOS Safari HM Surf Exploit Exposes Camera, Mic, Browser Data