The “HM Surf” vulnerability in macOS could lead to unauthorized access to data

Microsoft has discovered a new vulnerability in macOS called “HM Surf” that allows attackers to bypass the TCC protection system and access sensitive user data without their consent. Apple has already released a patch for this problem, but it may still be a threat to many devices.

Microsoft’s Threat Intelligence team has discovered a serious vulnerability in macOS that allows attackers to bypass the Transparency, Consent, and Control (TCC) framework and access sensitive user data, such as browser history, location, camera, and microphone, without their permission. The vulnerability is named “HM Surf” and allows attackers to modify configuration files in the Safari directory, bypass TCC and gain access to protected data. Microsoft reported this vulnerability to Apple through a Coordinated Vulnerability Disclosure (CVD), and Apple released a patch for macOS Sequoia in September 2024. However, the threat remains relevant, as similar methods can be used with other browsers.

The “HM Surf” vulnerability allows attackers to compromise systems without user interaction, and can be exploited via malicious sites or links. Microsoft Defender for Endpoint already detects and blocks activity related to the exploitation of this vulnerability.

TCC technology in macOS typically blocks access to sensitive data by requiring user permission through pop-ups or settings. However, Safari has special rights to bypass these checks, which is why attackers were able to exploit the vulnerability. This is not the first time such problems have been discovered: in the past, Microsoft has discovered the “powerdir” and “Shrootless” vulnerabilities, which could also bypass macOS security mechanisms.

Microsoft continues to investigate new vulnerabilities in macOS and other operating systems to protect users from threats. Working together with companies like Apple allows us to identify and fix critical vulnerabilities before they become a serious threat.