Why it issues: On Monday, Microsoft publicly disclosed a vulnerability in macOS that may very well be used to entry or exfiltrate delicate person knowledge. The exploit is facilitated by a flaw within the Transparency, Consent, and Management (TCC) framework. The TCC platform is a part of macOS that permits customers to regulate what apps can entry customers’ knowledge, recordsdata, and parts.
Microsoft 365 Defender Analysis Group dubbed the vulnerability (CVE-2021-30970) “powerdir” named after the software program exploit created by Microsoft researcher Jonathan Bar Or. Microsoft notified Cupertino of the safety flaw in July 2021. Apple patched the flaw in December with macOS 11.6 and 12.1.
“We found that it’s potential to programmatically change a goal person’s house listing and plant a pretend TCC database, which shops the consent historical past of app requests,” defined Or. “If exploited on unpatched programs, this vulnerability may permit a malicious actor to probably orchestrate an assault primarily based on the person’s protected private knowledge.”
Screenshots present this system granting Or entry to each the microphone and digicam. Nonetheless, the TCC additionally maintains permission for different parts, together with display screen recording, Bluetooth, location companies, contacts, photographs, and extra.
Whereas Microsoft created the software program particularly for this job, any app may use the identical method to take advantage of the outlet. The attacker wants full disk entry to the TCC database, which may very well be granted by way of different strategies. As soon as gained, hackers can assign or reassign entry permissions as they please.
Powerdir is the third TCC bypass discovered within the final couple of years. The opposite two (CVE-2020-9934 and CVE-2020-27937) had been disclosed and patched in 2020. One other flaw (CVE-2021-30713) discovered final yr in all Apple working programs allowed attackers arbitrary management over permissions, which hackers actively exploited earlier than being fastened in Might.