Microsoft has recently shared details about a serious security bypass issue affecting Apple macOS systems. Exploiting the bug could allow an adversary to bypass Apple’s TCC controls and access users’ private data.
macOS Security Bypass Bug
Reportedly, Microsoft has identified a ‘powerdir’ security bypass bug in macOS systems that exposed protected data. The Microsoft researcher caught the bug while analyzing Mac systems given the usability of Defender for Endpoints for non-Windows systems.
As elaborated, the vulnerability could allow bypassing Apple’s Transparency, Consent, and Control (TCC) technology. TCC controls how apps access the data on a device. This feature allows the users to manage app permissions for device components (like camera and mic) and software such as iCloud accounts.
Although, Apple protects TCC by limiting its access to full-disk apps only. Nonetheless, Microsoft discovered that an adversary could exploit an otherwise legit app or plant a maliciously crafted app to bypass this check. As stated,
We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.
As observed, this macOS vulnerability even affects the latest Monterey release and is different from previously addressed TCC bugs.
The researcher Jonathan Bar from Microsoft 365 Defender Research Team has shared technical details of this vulnerability in a post.
Apple Deployed The Fix
After discovering the bug, Microsoft reported the matter to Apple, which then addressed it with macOS Monterey.
However, Microsoft discovered a second exploit that even affected this macOS version. Hence, they again responsibly disclosed the bug (CVE-2021-30970) to Apple that subsequently released a patch for its with macOS Monterey 12.1.
Hence now, it’s up to the users to swiftly update their devices to get the patches and avoid potential exploits.
Last modified: January 18, 2022