Yesterday, Microsoft disclosed details of a recently patched macOS security vulnerability that could help attackers bypass TCC (Transparency, Consent and Control) to expose protected user data.
The vulnerability, tracked as CVE-2021-30970 and dubbed powerdir, consists of a logic issue in the TCC security framework, letting malicious applications bypass Privacy preferences.
TCC is a macOS security component that lets users adjust privacy settings of apps and connected devices, such as microphones and cameras, to protect their private data.
Microsoft reported the vulnerability in July 2021, and Apple addressed it in December 2021 by rolling out the macOS 11.6 and 12.1 updates, including improved state management.
These updates restricted TCC access exclusively to apps with full disk access and enforced a set of rules to block unauthorized code execution automatically. Previously, attackers could bypass these limitations by deploying a fake TCC database that would let them access private user data, according to Microsoft security researchers.
”We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” Microsoft principal security researcher Jonathan Bar Or said. “If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data.”
In other words, if a threat actor gains full disk access to the TCC databases on a vulnerable macOS system, they could modify it to grant elevated rights to any app, enabling the app to perform a series of high-privilege operations.
In this scenario, working around a system’s privacy preferences could allow perpetrators to access the device’s microphone or webcam and even capture screenshots of critical user data.
Seeing as attackers can still exploit the vulnerability on unpatched systems, macOS users should apply Apple’s security updates as soon as possible.