Microsoft reports macOS vulnerability dubbed HM Surf that bypasses the TCC framework

Microsoft reports a vulnerability within macOS, dubbed "HM Surf,".

The vulnerability, tracked as CVE-2024-44133 (CVSS score 5.5), can be exploited to bypass Apple’s Transparency, Consent, and Control (TCC) framework—an integral part of macOS’s security designed to regulate access to sensitive data such as browsing history, camera, microphone, and location. Microsoft warns that active exploitation of this flaw may already be underway, potentially by a known macOS adware strain called Adload.

The HM Surf vulnerability specifically targets Apple’s built-in web browser, Safari, which holds special permissions—known as private entitlements—to access certain system resources that are off-limits to other apps. These entitlements allow Safari to bypass typical TCC checks, granting it deeper access to users' personal information.

Microsoft researchers uncovered that attackers could exploit this unique privilege by tampering with Safari's configuration files stored within the user’s home directory. By changing Safari’s configuration to disable TCC protections, the attacker can quietly gain access to sensitive data, including device location, camera, and microphone, all without the user’s consent or awareness.

Exploiting the HM Surf vulnerability involves several technical steps:

1. Accessing Safari’s Configuration: Attackers first modify files in Safari’s home directory, altering permissions and access levels.
2. TCC Bypass: By changing the configuration, attackers disable TCC safeguards specifically for Safari, allowing them to bypass checks and access restricted services.
3. Stealthy Exploitation: In a real-world scenario, attackers could initiate Safari in a tiny, hidden window, preventing users from noticing anything unusual while the malicious activity unfolds in the background.

Through this exploit, attackers could perform a range of privacy-invasive actions, including:

• Taking snapshots with the camera,
• Recording continuous video streams,
• Capturing audio from the microphone,
• Tracking the device's location.

Adload, a persistent macOS adware known for aggressive data collection, appears to be linked to ongoing efforts to exploit the HM Surf vulnerability. While Microsoft could not fully confirm whether Adload directly uses this specific exploit, it detected behaviors associated with Adload on customer devices, including:

• Adding URLs to TCC's “approved” lists for camera and microphone access,
• Harvesting macOS version information,
• Downloading secondary malicious payloads.

This finding raises concerns that attackers may be actively leveraging HM Surf in their campaigns, adding urgency to the need for mitigation.

Apple has released a patch for this issue in macOS Sequoia 15 on September 16, 2024, as part of a broader security update. The fix removes the vulnerable code in Safari’s configuration files, ensuring that attackers cannot exploit the flaw.

Apple claims that only MDM-managed devices were affected, likely due to their reliance on centralized administrative permissions.

Microsoft strongly urges all macOS users to apply the September 16, 2024, update immediately.