Microsoft claims it found a major macOS security bug that could put all your data at risk

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)

Microsoft security researchers have uncovered a vulnerability in the macOS operating system that could allow threat actors to gain access to sensitive data stored on the device.

The company detailed its findings in a blog post, which claimed the flaw bypasses the operating system’s Transparency, Consent, and Control (TCC) technology, and it was dubbed “HM Surf”.

The bug is now tracked as CVE-2024-44133. It has a severity score of 5.5 (medium), and was fixed in mid-September 2024.

What about Chrome, or Firefox?

Microsoft explained that the vulnerability removes TCC protection for the Safari browser directory, and allows for the modification of a configuration file in that directory. As a result, the malicious actor gains access to user data, such as browsed pages, the camera, microphone, location, and more - all without user consent.

While the bug being patched is definitely good news, there is a caveat. As explained in the article, only Safari uses the new protections afforded by the TCC, at the moment. That means other browsers, such as Chrome, or Firefox, “do not have the same private entitlements as Apple applications,” so they can’t work around the TCC checks. In other words, once a user approves TCC checks, the app is the one maintaining access to the privacy database.

“Microsoft is currently collaborating with other major browser vendors to investigate the benefits of hardening local configuration files,” the company explained.

Apple users are encouraged to apply the security update as soon as possible, since Microsoft claims to have found a possible case of in-the-wild abuse:

“Behavior monitoring protections in Microsoft Defender for Endpoint has detected activity associated with Adload, a prevalent macOS threat family, potentially exploiting this vulnerability,” it concluded.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.