Microsoft Researchers Detail macOS Vulnerability That Could Let Attackers Gain User Data

by admin 0 Comments

APPLE
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Microsoft has detailed a vulnerability that existed in macOS which could allow an attacker to bypass its inbuilt technology controls and gain access to users’ protected data. Dubbed “powerdir,” the issue impacts the system called Transparency, Consent, and Control (TCC) that has been available since 2012 to help users configure privacy settings of their apps. It could let attackers hijack an existing app installed on a Mac computer or install their own app and start accessing hardware including microphone and camera to gain user data.

As detailed on a blog post, the macOS vulnerability could be exploited by bypassing TCC to target users’ sensitive data. Apple notably fixed the flaw in the macOS Monterey 12.1 update that was released last month. It was also fixed through the macOS Big Sur 11.6.2 release for older hardware. However, devices that are using an older macOS version are still vulnerable.

Apple is using TCC to help users configure privacy settings such as access to the device’s camera, microphone, and location as well as services including calendar and iCloud account. The technology is available for access through the Security & Privacy section in System Preferences.

On top of TCC, Apple uses a feature that is aimed to prevent systems from unauthorised code execution and enforced a policy that restricts access to TCC to only apps with full disk access. An attacker can, though, change a target user’s home directory and plant a fake TCC database to gain the consent history of app requests, Microsoft security researcher Jonathan Bar Or said in the blog post.

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” the researcher said.

Microsoft’s researchers also developed a proof-of-concept to demonstrate how the vulnerability could be exploited by changing the privacy settings on any particular app.

Apple has acknowledged the efforts made by the Microsoft team in its security document. The vulnerability is traced as CVE-2021-30970.

Affiliate links may be automatically generated – see our ethics statement for details.

Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2022 hub.

This article was originally published by Ndtv.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Nothing Ear, Nothing Ear A TWS Earphones With Up to 45dB ANC Launched in India: Price, Specifications
Apple’s 12.9-Inch iPad Air Tipped to Feature LCD Panel Just Like 5th Gen iPad Air Model
Samsung Galaxy Ring Model Numbers Reveal Compact Wearable Will Arrive in Eight Sizes: Report
Gigabyte Aorus 49-Inch AI-Enabled QD-OLED Gaming Monitor Debuts in India: Price, Features
Apple Close to Finalizing Deal With FIFA Over TV Rights For New Club World Cup Tournament: Report

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.