Microsoft reveals that threat actors might leverage a macOS vulnerability to get through Transparency, Consent, and Control (TCC) protection and get access to users’ protected data. On July 15, 2021, the Microsoft 365 Defender Research Team reported the powerdir vulnerability (recorded as CVE-2021-30970) to Apple through the Microsoft Security Vulnerability Research Center (MSVR).
TCC is a security technology that allows macOS users to customize privacy settings for programs installed on their computers and devices linked to their Macs, including cameras and microphones, to prevent apps from accessing sensitive user data. While Apple has limited TCC access to programs with full disk access and put-up mechanisms to prevent unauthorized code execution, Microsoft security researchers discovered that attackers might plant a second, specially constructed TCC database that would give them access to protected user information.
“We discovered that it is possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests,” stated Jonathan Bar Or, a chief security researcher at Microsoft. If exploited on unpatched computers, this vulnerability might allow a hostile actor to organize an attack based on the user’s protected personal data. Apple also addressed other TCC bypasses since 2020, including:
- Time Machine mounts (CVE-2020-9771)
- Environment variable poisoning (CVE-2020-9934)
- Bundle conclusion issue (CVE-2021-30713)
On December 13, 2021, Apple provided security upgrades that addressed the vulnerability. “A malicious application may be able to bypass Privacy preferences,” the company clarified in the security advisory. Apple enhanced state management to fix the logic error that caused the powerdir security vulnerability.
Microsoft earlier reported identifying a security weakness, Shrootless, that allows an attacker to overcome System Integrity Protection (SIP) and execute arbitrary activities, elevate privileges to root, and install rootkits on affected devices. The company’s analysts also uncovered new macOS WizardUpdate malware variants (also known as UpdateAgent or Vigram) that have been modified with new evasion and persistence techniques. In June of last year, Redmond revealed severe firmware issues in several NETGEAR router models, which hackers could exploit to penetrate and move laterally through company networks.