In recent years, operating system vulnerability stories usually include some form of Google picking around in Windows and exposing faults in Microsoft’s legacy platform, but this time around the crew from Bellevue found something in Apple’s heralded OS that raises concerns for users.
A security flaw was unearthed by Microsoft researchers recently that involved Apple’s flagship browser Safari. According to Microsoft researchers, the HM Surf flaw that leverages system permissions granted to Safari through Mobile Device Management (MDM) systems, can grant unauthorized access to hardware on devices such as cameras and microphones. “We called our exploit HM Surf in reference to the HM03 (Surf) Safari zone and recorded a complete video of our exploit”, explained Microsoft’s Threat Intelligence team.
The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent.
Microsoft Threat Intelligence
Microsoft found that if it could gain access to and alter the home directory through a command-line tool from O’Reilly called dscl in macOS, it could then hijack all of the permissions granted to Safari. Furthermore, once a hacker adjusted the permissions, they could cover their tracks fairly well when it came to suspicious admins attempting to investigating the stored files in Safari that have been tampered with.
With Safari chief among macOS with the largest list of granted permissions, the web browser is a target rich environment for malware attacks like Adload which aims at leveraging the laundry list of permissions accessible through the macOS browser.
Beyond some light rhetorical finger waving, Microsoft alerted Apple through its Coordinated Vulnerability Disclosure (CVD) platform and the macOS team has already issued a patch for what is now identified as CVE-2024-44133 as part of a security updated for macOS Sequoia.
The patch essentially hardens the TCC protections that CVE-2024-44133 sought to bypass on-device user interactions with cautionary prompts when accessing functionalities such as the microphone and camera.
Fortunately for Apple, the vulnerability was specific to devices managed in enterprise and educational settings through specializes software. HMo3 (Surf) wasn’t widespread, nor did it seem to affect the much louder consumer crowd, like say, the CrowdStrike outage that lampooned Windows devices.
Nevertheless, it’s a quick lesson that any system can be hacked given enough time and ingenuity.
