Microsoft safety researchers discovered a macOS exploit that may alter TCC permissions

Why it issues: On Monday, Microsoft publicly disclosed a vulnerability in macOS that might be used to entry or exfiltrate delicate person knowledge. The exploit is facilitated by a flaw within the Transparency, Consent, and Management (TCC) framework. The TCC platform is a part of macOS that permits customers to regulate what apps can entry customers’ knowledge, recordsdata, and elements.

Microsoft 365 Defender Analysis Workforce dubbed the vulnerability (CVE-2021-30970) “powerdir” named after the software program exploit created by Microsoft researcher Jonathan Bar Or. Microsoft notified Cupertino of the safety flaw in July 2021. Apple patched the flaw in December with macOS 11.6 and 12.1.

“We found that it’s doable to programmatically change a goal person’s residence listing and plant a faux TCC database, which shops the consent historical past of app requests,” defined Or. “If exploited on unpatched techniques, this vulnerability might enable a malicious actor to doubtlessly orchestrate an assault primarily based on the person’s protected private knowledge.”

Screenshots present this system granting Or entry to each the microphone and digicam. Nonetheless, the TCC additionally maintains permission for different elements, together with display recording, Bluetooth, location companies, contacts, pictures, and extra.

Whereas Microsoft created the software program particularly for this process, any app might use the identical method to take advantage of the opening. The attacker wants full disk entry to the TCC database, which might be granted through different strategies. As soon as gained, hackers can assign or reassign entry permissions as they please.

Powerdir is the third TCC bypass discovered within the final couple of years. The opposite two (CVE-2020-9934 and CVE-2020-27937) had been disclosed and patched in 2020. One other flaw (CVE-2021-30713) discovered final yr in all Apple working techniques allowed attackers arbitrary management over permissions, which hackers actively exploited earlier than being mounted in Could.