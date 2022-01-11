



Microsoft today published a vulnerability in Apple’s macOS. This could allow an attacker to bypass operating system transparency, consent, and control (TCC) technologies and gain unauthorized access to protected user data.

The Microsoft Security Vulnerability Research (MSVR) team reported the discovery to Apple’s product security team on July 15, 2021. Apple has addressed a CVE-2021-30970 called “Powerdir” in a security update rollout released on December 13.

TCC is an Apple subsystem introduced in macOS Mountain Lion in 2012. This technology is designed to allow users to configure application privacy settings on their devices. For example, access to cameras and microphones, or their calendars and iCloud accounts. To protect TCC, Apple created a feature to prevent malicious code execution and applied a policy to limit TCC access only to applications with full disk access.

A vulnerability discovered by Microsoft could allow an attacker to evade this feature and launch an attack on a macOS device. Microsoft has confirmed that this has not actually been abused and only affects macOS. iOS devices are not affected.

When an app requests access to protected user data, one of two actions occurs: If the app and request type have records in the TCC database, the database entry flag indicates whether to allow or deny the request without user interaction. If there is no record, the user will be prompted to allow or deny access.

Researchers have learned that it is possible to programmatically change the target home directory and create a fake TCC database that stores the consent history of app requests. JonathanBarOr, along with the Microsoft 365 Defender Research Team, wrote a blog post about the findings. When exploited on unpatched systems, this flaw could allow an attacker to launch an attack based on the victim’s protected personal data.

“For example, an attacker could hijack an app installed on a device, install a malicious app to access a microphone, record a private conversation, or display sensitive information on a user’s screen. You might even capture a screenshot of it, “he explained.

This is the latest in a series of TCC vulnerabilities that Apple has recently patched. Last year, Apple patched CVE-2021-30713. This is a flaw that allows an attacker to bypass TCC protection and deliver XCSSET malware. When connected to the machine, XCSSET uses bypass to take a screenshot of the user’s desktop without the need for permissions, reporting to Jamf researchers who found the bug.

Other vulnerabilities reported in the previous year related to TCC Bypass included CVE-2020-9771 and CVE-2020-9934. Apple’s fix to the latter caught Microsoft’s attention, and team analysis found an exploit that attackers could use to change the settings of any application. After disclosing the findings to Apple, a similar bypass was announced in a Black Hat USA talk. However, Microsoft’s exploits continued to work after Apple fixed a similar vulnerability.

Researchers needed to change the proof of concept after the October release of macOS Monterey. This changed the behavior of the dsimport tool and disabled the first PoC exploit.

“This continues to be enhanced by software vendors such as Apple, security researchers, and the large security community before it becomes available to attackers, even as macOS and other operating systems and applications are enhanced with each release. Indicates that vulnerabilities need to be identified and fixed in cooperation with them. ”Or wrote.

