Microsoft Has Discovered a Serious Security Flaw in Safari on Mac
When Apple released macOS Sequoia last month , it added new features like window snapping and the ability to control your iPhone from your Mac . However, in addition to superficial changes, the new update also introduceda long series of fixes for security vulnerabilities . It so happens that one of these vulnerabilities was discovered by none other than Microsoft, and it is quite troubling for Mac computers used in organizations.
How the TCC vulnerability works in Safari
Microsoft described its findings in a blog post on October 17, about a month after the September 16 release of macOS Sequoia. The company calls the vulnerability “HM Surf”, named after a training technique from the Pokémon series , which they discovered allows attackers to bypass Apple’s transparency, consent and control framework for Safari. TCC typically ensures that apps without proper permission cannot access services such as your location, camera, or microphone. This is important to protect your privacy from apps that would otherwise want to abuse it.
However, Apple grants some of its own apps rights that allow them to bypass these TCC checkpoints. After all, it’s an Apple app, so the company knows it’s not malicious. In the case of Safari, Microsoft discovered that the app had access to your Mac’s address book, camera and microphone, and other services, without the need for TCC checks first.
However, you still encounter TCC checks when using Safari on websites: this happens when you load a page and a pop-up appears asking if you will allow the site to access something, such as your camera . These TCC settings for each website are saved in a directory on your Mac at ~/Library/Safari.
This is where the exploit comes in: Microsoft has discovered that you can change this directory to something else, which will remove the TCC protection. You can then change the sensitive files in the actual home directory, and then change the directory back so Safari will pull from the modified files you put in place. Congratulations: you can now bypass TCC protection and take a photo using your Mac’s webcam and access device location information.
Microsoft says attackers could potentially take a number of actions in this situation, including storing the webcam image where they can access it later; record video from a webcam; transmit sound from the microphone to an external source; and run Safari in a small window so you don’t notice its activity. It’s important to note that third-party browsers are not affected here, as they must comply with Apple’s TCC requirements and Safari does not have rights to bypass them.
While Microsoft found suspicious activity during its investigation that could indicate the vulnerability had been exploited, it couldn’t say for sure.
This vulnerability only affects Mac computers managed by MDM.
After reading Microsoft’s report, you may be concerned about the prospect of attackers spying on your Mac through Safari. What is not explicitly stated here, however, is that this vulnerability only affects MDM-managed Macs, which are Macs owned by organizations controlled by central IT. This includes Macs issued to you at work or computers owned by your school.
Apple confirms this in its security notes for macOS Sequoia, in a fairly succinct entry addressing the privacy and security implications:
Of course, the disadvantage is still serious, but it is much more limited. You don’t have to worry about Safari on your personal Mac allowing hackers to access your webcam, microphone, and location. But if you have a Mac from work or school that is managed by MDM, this is a concern and you should install the update as soon as possible.
Fixing a vulnerability on your Mac running MDM
This issue affects the following Mac computers: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020) and newer), MacBook Pro (2018 and newer), and iMac Pro (2017 and newer).
Your organization may have already released an update for your Mac if it’s eligible. However, if you don’t have macOS Sequoia installed on your computer, check with your company or school IT staff to determine when an update will be available.