banner
Jan 15, 2022
18 Views
0 0

MacOS Bug Could Let Creeps Snoop On You

Written by
banner

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The flaw could allow attackers to bypass Privacy preferences, giving apps with no right to access files, microphones or cameras the ability to record you or grab screenshots.
Microsoft on Monday released details about a bug in macOS that Apple fixed last month – named “powerdir” – that could let attackers hijack apps, install their own nasty apps, use the microphone to eavesdrop or grab screenshots of whatever’s displayed on your screen.
The vulnerability allows malicious apps to bypass privacy preferences. Specifically, it could allow an attacker to bypass the operating system’s Transparency, Consent and Control (TCC) technology, thereby gaining unauthorized access to a user’s protected data, the Microsoft 365 Defender Research Team said in its advisory.
Introduced in 2012 in macOS Mountain Lion, TCC helps users to configure their apps’ privacy settings by requiring that all apps get user consent before accessing files in Documents, Downloads, Desktop, iCloud Drive, calendar and network volumes, as well as before the apps are allowed to access the device’s camera, microphone or location.

Apple released a fix for the vulnerability – identified as CVE-2021-30970 – in macOS Big Sur and macOS Monterey, as part of its Dec. 13, 2021 security updates. At the time, as is typical, Apple didn’t give much detail, merely stating that the flaw was a logic issue that could allow a malicious to bypass privacy preferences: A flaw that it addressed with improved state management.
TCC stores the consent history of app requests. The feature prevents unauthorized code execution by restricting full disk access to only those apps with appropriate privileges – at least, that’s the way it’s supposed to work.
But Microsoft researchers discovered that it’s possible to programmatically change a target user’s home directory and to plant a fake TCC database.
“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” they explained in Monday’s advisory. “For example, the attacker could hijack an app installed on the device – or install their own malicious app – and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen.”
Typically, users manage TCC under System Preferences in macOS (System Preferences > Security & Privacy > Privacy).
The macOS Security & Privacy pane that serves as the front end of TCC. Source: Microsoft.
As Microsoft explained, when an app requests access to protected user data, one of two things can happen:
If an attacker gets full disk access to the TCC databases, Microsoft explained that the world’s then their app oyster: “They could edit it to grant arbitrary permissions to any app they choose, including their own malicious app. The affected user would also not be prompted to allow or deny the said permissions, thus allowing the app to run with configurations they may not have known or consented to.”
This isn’t the first time that TCC databases have shown themselves to be susceptible to bypass. Microsoft listed this trio of past vulnerabilities:
Apple has responded to those vulnerabilities with two changes: It protected the system-wide TCC.db via System Integrity Protection (SIP), a macOS feature that prevents unauthorized code execution, and it enforced a TCC policy that only apps with full disk access can access the TCC.db files.
“Note, though, that this policy was also subsequently abused as some apps required such access to function properly (for example, the SSH daemon, sshd),” Microsoft researchers noted.
Apple has since patched these vulnerabilities, but Microsoft said that its research shows that “the potential bypass to TCC.db can still occur.”
Microsoft’s very predictable, inarguable advice: “We encourage macOS users to apply these security updates as soon as possible.”
Image courtesy of Pixabay.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.
Share this article:
Attackers could access and modify agent resources, telephone queues and other customer-service systems – and access personal information on companies’ customers.
Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.
Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
4 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities
banner

Comments are closed.