HM Surf (CVE-2024-44133): macOS Flaw Exposing Cameras and Microphones to Hackers, PoC Published
In a significant discovery by Microsoft Threat Intelligence, a vulnerability in macOS, identified as CVE-2024-44133, has been found to bypass Apple’s Transparency, Consent, and Control (TCC) technology. This flaw, dubbed “HM Surf,” could allow malicious actors to gain unauthorized access to sensitive user data, including camera, microphone, browsing history, and even location information, without the user’s consent.
TCC is a security framework designed to prevent unauthorized apps from accessing users’ personal data on macOS, such as camera and microphone permissions, unless explicitly allowed by the user. However, the CVE-2024-44133 vulnerability reveals that TCC protection for Safari’s directories could be removed. By manipulating configuration files within the Safari directory, attackers could access a user’s camera, microphone, and even track location data.
This bypass, which the Microsoft Threat Intelligence team referred to as HM Surf, involves modifying a configuration file in Safari’s directory to alter the user’s default permissions for key services. This would then allow an attacker to silently interact with the device’s hardware and software without triggering any notification or user consent popup, which is typically required by TCC.
This bypass, which the Microsoft Threat Intelligence team referred to as HM Surf, involves modifying a configuration file in Safari’s directory to alter the user’s default permissions for key services. This would then allow an attacker to silently interact with the device’s hardware and software without triggering any notification or user consent popup, which is typically required by TCC.
According to the analysis, the bypass relies on sensitive files in the ~/Library/Safari directory. By altering key files, such as the PerSitePreferences.db, an attacker could override security controls and exploit Safari’s extensive entitlements to sensitive services. “Reading arbitrary files from the directory allows attackers to gather extremely useful information,” the report stated, detailing how the malicious actor could access history files or more sensitive data.
Microsoft’s analysis further explains that behavior monitoring within Microsoft Defender for Endpoint has detected activities related to this vulnerability. Specifically, it observed modifications to browser configuration files, a suspicious indicator linked to the prevalent macOS malware Adload. Although there is no concrete evidence yet that Adload directly exploits this vulnerability, the detection of such anomalous behavior signals how attackers could potentially leverage HM Surf to further their attacks.
Microsoft Defender for Endpoint has been updated to detect and prevent exploitation attempts of CVE-2024-44133. The endpoint protection can block these attacks by flagging modifications to Safari’s configuration files or unauthorized access to TCC-protected services.
Security researcher Jonathan Bar Or (@yo_yo_yo_jbo) of Microsoft who has been credited for reporting this flaw, also published the proof-of-concept exploit.
Apple promptly released a patch for the vulnerability on September 16, 2024, as part of the macOS Sequoia update. Microsoft is now collaborating with other browser vendors, including Google and Mozilla, to investigate the benefits of hardening local configuration files and applying similar protective measures.
Users are strongly encouraged to apply the latest security updates provided by Apple to protect against this vulnerability.
