A security breach discovered by Microsoft allowed a cybercriminal to access a Mac user’s camera, microphone and history through their Safari browser.
Microsoft’s threat intelligence team has published an in-depth article explaining in detail a vulnerability discovered in Safari, the default browser on rival Apple’s devices. This vulnerability, which Microsoft has called HM Surf, allows an attacker to bypass the TCC (Transparency, Consent and Control) system of the apple devices, gaining access to the user’s confidential data.
HM Surf makes it possible to “remove TCC protection from the Safari browser directory and modify a configuration file in that directory to gain access to user data, including history pages, device camera, microphone, and location, without the user’s consent.
The vulnerability has already been corrected by Apple through the update of its Sequoia 15 operating system, since last September 16.
For this reason, Microsoft encourages all Apple users to update their macOS systems if they have not already done so, as they have detected activities that suggest that some actors are taking advantage of this vulnerability: “We recommend that macOS users apply these security updates as soon as possible. “The behavior monitoring protections in Microsoft Defender for Endpoint detected activity associated with Adload, a family of threats predominant in macOS, which potentially exploits this vulnerability,” the Redmond company indicates.
In addition, Microsoft is studying the benefits that strengthening the security of local configuration files would also have for other browsers, to prevent this type of intrusion.
To hack the device using HM Surf, the malicious actor would carry out the following steps:
- Change the current user’s home directory with the dscl utility, a step that does not require access to TCC in macOS Sonoma.
- Modify sensitive files (e.g. PerSitePreferences.db) within “~/Library/Safari” under the user’s actual home directory.
- Changing the home directory to the original directory causes Safari to use the modified files.
- Launch Safari to open a web page that takes a snapshot through the device’s camera and captures the location.
Only affects Safari
This vulnerability, which, as we say, has already been corrected, does not affect third-party browsers, such as Google Chrome or Firefox, since third-party apps do not have access to such essential settings as Apple’s own applications do.
From Microsoft, they comment on the development of a cyberattack campaign called Adload, which could have been making use of this vulnerability, although they have not been able to confirm it: “Since we were not able to observe the steps that led to the activity, we cannot completely determine If the Adload campaign is exploiting the HM Surf vulnerability. The fact that attackers use a similar method to implement a common threat increases the importance of having protection against attacks that use this technique,” they explain.
Microsoft will continue to investigate malware threats affecting devices from other brands, since “as cross-platform threats continue to increase, a coordinated response to vulnerability discoveries and other forms of sharing threat intelligence will help enrich the protection technologies that “They ensure users’ computing experience regardless of the platform or device they are using.”
