One of the most recently revealed vulnerabilities by Microsoft in Apple’s macOS operating system is directly related to the Apple framework known as Transparency, Consent, and Control, one of their many privacy-centric initiatives. This would allow an attacker to circumvent user privacy preferences and access the necessary information they want from the Safari browser.
HM Surf: Fixed Vulnerability
In the blog post from Microsoft Threat Intelligence, this vulnerability that has since been assigned the code CVE-2024-44133— nicknamed HM Surf by the Microsoft team— was described. This vulnerability was addressed by Apple in the macOS Sequoia 15 update, with the company stating that they did so by “removing the vulnerable code.”
Impact of the flaw
As Jonathan Bar-Issac of Microsoft explained, HM Surf “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in said directory to access the user’s data (including pages he has browsed, device camera, microphone, and location) without the user’s consent.”
However, the identified vulnerability impacts the Safari browser. Other standard browsers, such as Chrome and Firefox, cannot bypass TCC controls since they do not have similar privacy entitlements as Apple applications.
Recommendations
It is therefore recommended that you update your operating system to apply the necessary security patches. An additional note is to keep an eye out for any possible threats and take the appropriate measures to protect your data.
