Access to camera, microphone and browser data: Microsoft discovers Safari gap
The "HM Surf" bug, which has now been fixed, is based on problems with app permissions. However, only certain groups of people were affected.
Safari icon: Problematic gap, but only under certain circumstances.
(Image: Apple)
Microsoft has published details of a macOS vulnerability that may have made it possible to access sensitive browser data in Apple's Safari –, including access to the camera, microphone and other information. Corporate and education customers whose devices are administered via Mobile Device Management (MDM) were affected, but not regular users.
Fix is only in Sequoia
The bug has the CVE ID 2024-44133 and was fixed as part of the release of macOS 15 Sequoia on September 16th – in macOS 14.7, which was released at the same time, but not for reasons that remain unclear. Apple describes the bug itself as follows: "On devices managed via MDM, an app may be able to bypass certain privacy settings." All current Macs are affected: iMac from 2019, iMac Pro from 2017, Mac Studio from 2022, Mac Pro from 2019, Mac mini from 2018, MacBook Air from 2020 and MacBook Pro from 2018.
Videos by heise
The bug, which Microsoft's security team has dubbed "HM Surf", affects the way macOS grants access to sensitive system functions – as part of the TCC (Transparency, Consent and Control) technology. As Microsoft has discovered, various local files have been stored for Safari that control the TCC policy for the browser. Among other things, they specify when a website has been granted access to the camera or microphone.
Home directory changed with dscl command
The Microsoft researchers managed to change the TCC files by temporarily changing the home directory, which should not actually be possible with TCC. They used the command line tool DSCL. After changing the home directory, it was possible to change the Safari TCC configuration; the home directory was then reset so that the changed configuration could be read in order to grant an attacker website access to the camera or microphone.
It is unclear whether an attack has already taken place, but the creators of the adware "AdLoad" are said to have been interested in this type of exploit, according to the Microsoft researchers. However, as the attack was only possible on Macs controlled via MDM, it is unlikely that it would spread more widely. The threat is therefore also rated with only 5.5 out of a possible 10 points in the Common Vulnerability Scoring System (CVSS). Apple fixed the problem by "removing vulnerable code".
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
