Register now for better personalized quote!

Microsoft: This macOS bug could bypass controls and access private user data

Jan, 11, 2022 Hi-network.com

Microsoft has detailed how malware on macOS can bypass privacy preferences enforced by Apple's macOS system called Transparency, Consent, and Control (TCC) for controlling apps' access to sensitive user data. 

The 'powerdir' bug, which Apple fixed in its December 13 update for macOS up to Monterey, lets an attacker bypass TCC to gain access to a user's protected data. 

More Microsoft

  • Is Windows 10 too popular for its own good?
  • The best Windows laptop models: Comparing Dell, Samsung, Lenovo, and more
  • Here's why Windows PCs are only going to get more annoying
  • How to downgrade from Windows 11 to Windows 10 (there's a catch)

The bug was discovered by Microsoft security researcher Jonathan Bar Or. Microsoft is interested in macOS security because Defender for Endpoint can be used in an enterprise to protect non-Windows devices.

Microsoft's 365 Defender Research Team noted in a blog post that Apple introduced a feature to protect TCC that "prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access."

However, Or discovered that it is "possible to programmatically change a target user's home directory and plant a fake TCC database, which stores the consent history of app requests."

"If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user's protected personal data," Microsoft said. 

An attacker could hijack an already installed app or install their own malicious app to access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user's screen, Microsoft explained. 

TCC appeared in 2012 in OS X Mountain Lion and is behind the system notifications users see when giving or denying 'consent' for specific applications to access private data, which includes access to the device's camera, microphone, location, and access to the user's calendar or iCloud account. 

Apple doesn't detail TCC directly in its security manual, however, via security firm Sentinal One, TCC's purpose is described in a section of the manual detailing how macOS and iOS protect app access to user data. Users can manage these privacy protections in macOS within the Security & Privacy section of System Preferences.

"Apple devices help prevent apps from accessing a user's personal information without permission using various technologies including Data Vault. In Settings in iOS and iPadOS, or System Preferences in macOS, users can see which apps they have permitted to access certain information as well as grant or revoke any future access," Apple explains. 

Microsoft's TCC bypass flaw offers a new way to bypass protections Apple has added to previously discovered TCC bypasses, including CVE-2020-9771, CVE-2020-9934, and CVE-2021-30713. 

To protect TCC from these bypass flaws, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. Those fixes protected TCC.db (database) files from being incorrectly accessed through, for example. Time Machine backups or alternative file paths.  

Microsoft bypass Apple's TCC protections worked by planting a fake TCC.db file and changing the Home directory using a specific 'superuser' sudo command in the Directory Services command-line utility.

"While requiring root access, we discovered that this works only if the app is granted with the TCC policy kTCCServiceSystemPolicySysAdminFiles, which the local or user-specific TCC.db maintains," explains Microsoft.  

"That is weaker than having full disk access, but we managed to bypass that restriction with the dsexport and dsimport utilities."

Microsoft's proof of concept demonstrated that attackers could change the settings on any application, potentially allowing them to enable microphone and camera access on any app - hence the bug's name "Powerdir". 

Featured

iPhone 15 Pro review: Prepare to be dazzledGenerative AI will far surpass what ChatGPT can do. Here's everything on how the tech advancesGoogle Pixel 8 vs. Google Pixel 8 Pro: Which one is right for you?The best USB-C cables for the iPhone 15: What the experts recommend
  • iPhone 15 Pro review: Prepare to be dazzled
  • Generative AI will far surpass what ChatGPT can do. Here's everything on how the tech advances
  • Google Pixel 8 vs. Google Pixel 8 Pro: Which one is right for you?
  • The best USB-C cables for the iPhone 15: What the experts recommend

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.