The Flaw Could Allow Attackers to Bypass Privacy Preferences, Giving Apps With No Right to Access Files, Microphones, or Cameras the Ability to Record You or Grab Screenshots about a bug in macOS that Apple fixed the previous month — dubbed "powerdir" — that could let attackers hijack apps, install their malicious apps, use the microphone to eavesdrop or grab screenshots of your screen. Mi crosoft last week released an advisory According to the , Precisely, it could allow an attacker to bypass the operating system's (TCC) technology, thereby gaining unauthorized access to protected data in the machine. Microsoft 365 Defender Research Team the vulnerability allows malicious apps to bypass privacy preferences. Transparency, Consent, and Control Tracked as CVE-2021–30970, the flaw affects a logic issue in the Transparency, Consent, and Control (TCC) security framework, enabling users to configure their apps' privacy settings and provide access to protected files and app data. The in the macOS System Preferences app serves as the front end of TCC. Security & Privacy pane While Apple implements control that limits access to TCC to only apps with full disk access, it's possible to stage an attack wherein a malicious application could workaround its privacy preferences to retrieve sensitive information from the machine. Transparency, Consent, and Control (TCC) TCC was in macOS Mountain Lion. It helps users to configure their apps' privacy settings by requiring that all apps get user consent before accessing files in: introduced in 2012 Documents, Downloads, Desktop, iCloud Drive, Calendar, and Network volumes, as well as before the apps can access the device's camera, microphone, or location data. According to , it is possible to programmatically change a target user's home directory and , which stores the consent history of app requests. Microsoft's advisory implant a fake TCC database As a result, if a bad actor gains full disk access to the TCC databases, the intruder could edit it to grant arbitrary permissions to any app of their choice. Including their own "app," this flaw effectively allows the app to run with previously not consented to configurations. CVE-2021–30970 is also the third TCC-related bypass vulnerability to be discovered. All of them were remediated by Apple. ( ): macOS offers a built-in backup and restores solution called . It was discovered that Time Machine backups could be mounted (using the apfs_mount utility) with the "noowners" flag. Since these backups contain the TCC.db files, an attacker could mount those backups and determine the device's TCC policy without having full disk access. Time Machine mounts CVE-2020–9771 Time Machine ( ): It was discovered that the user's could build the path to the TCC.db file by expanding $HOME/Library/Application Support/com.apple.TCC/TCC.db. Since the user could manipulate the $HOME environment variable (as introduced to tccd by aunchd), an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead. Environment variable poisoning CVE-2020–9934 tccd l ( ): in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information. For example, suppose an attacker knows of a specific app that commonly has microphone access. In that case, they could plant their application code in the target app's bundle and "inherit" its TCC capabilities. Bundle-conclusion issue CVE-2021–30713 First disclosed by Jamf How to Update to macOS Apple released a patch for this vulnerability — identified as — CVE-2021–30970 in macOS Big Sur and macOS Monterey as part of its December 13th, 2021 security updates . The update is free, and you need to be connected to the internet. The installation will take several minutes (up to about 30 minutes). Also, your Mac needs to restart during the update. Therefore, make sure you backup your working windows and files before the update. Here are the steps to do the installation: Go to System Preferences in the Apple menu Click on . Software Update Your Mac will check to see if the update is available. When it is, an Install button will appear. Click Install and your Mac will start downloading the update. After that, it will start the installation. Final Words Apple remarked that the flaw was a logic issue allowing a malicious to bypass privacy preferences. Apple has since patched these vulnerabilities, but Microsoft said that its research shows that "the potential bypass to TCC.db can still occur." This shows that macOS or other operating systems and applications become more hardened with each release. As a result, software vendors like Apple, security researchers, and the larger security community need to continuously work together to identify and fix vulnerabilities before attackers can take advantage of them. Thank you for reading. May InfoSec be with you🖖. Also Published Here

Apple

Microsoft

Target

Mapping Risk to Cyber Threats, and Adopt Zero Trust by NIST's CSF

Cybersecurity Predictions For 2022

2021 - HackerNoon Contributor of the Year - CULTURE

Support Me on Coil

2021 - HackerNoon Contributor of the Year - PERSONAL-DATA

Nominated for 2022 - HackerNoon Contributor of the Year - Cybersecurity

Nominated for 2022 - HackerNoon Contributor of the Year - Security

Nominated for 2022 - HackerNoon Contributor of the Year - Privacy

Nominated for 2022 - HackerNoon Contributor of the Year - Beginners Guide

Nominated for 2022 - HackerNoon Contributor of the Year - Containers

Nominated for 2022 - HackerNoon Contributor of the Year - Data Privacy

Too Long; Didn't Read

The Powerdir  MacOS Bug Could Allow Attackers to Snoop On You

The Powerdir MacOS Bug Could Allow Attackers to Snoop On You

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Soul-Crushing Reasons to Abandon the Catastrophic Mess That Is Swift

10 Best Free Vector Icon Resources for App Design & Web Design in 2018

The Noonification: Innovation Is Slowing Down (10/19/2022)

The Noonification: 2024 Just Might Be The Year Crypto Enthusiasts Are Looking For (1/8/2024)

3 Easy Ways to Share Your Location on an iPhone

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

10 Soul-Crushing Reasons to Abandon the Catastrophic Mess That Is Swift

10 Best Free Vector Icon Resources for App Design & Web Design in 2018

The Noonification: Innovation Is Slowing Down (10/19/2022)

The Noonification: 2024 Just Might Be The Year Crypto Enthusiasts Are Looking For (1/8/2024)

3 Easy Ways to Share Your Location on an iPhone

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps