Microsoft Researchers Detail macOS Vulnerability That Could Let Attackers Gain User Data

by admin 0 Comments

APPLE
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Microsoft has detailed a vulnerability that existed in macOS which could allow an attacker to bypass its inbuilt technology controls and gain access to users’ protected data. Dubbed “powerdir,” the issue impacts the system called Transparency, Consent, and Control (TCC) that has been available since 2012 to help users configure privacy settings of their apps. It could let attackers hijack an existing app installed on a Mac computer or install their own app and start accessing hardware including microphone and camera to gain user data.

As detailed on a blog post, the macOS vulnerability could be exploited by bypassing TCC to target users’ sensitive data. Apple notably fixed the flaw in the macOS Monterey 12.1 update that was released last month. It was also fixed through the macOS Big Sur 11.6.2 release for older hardware. However, devices that are using an older macOS version are still vulnerable.

Apple is using TCC to help users configure privacy settings such as access to the device’s camera, microphone, and location as well as services including calendar and iCloud account. The technology is available for access through the Security & Privacy section in System Preferences.

On top of TCC, Apple uses a feature that is aimed to prevent systems from unauthorised code execution and enforced a policy that restricts access to TCC to only apps with full disk access. An attacker can, though, change a target user’s home directory and plant a fake TCC database to gain the consent history of app requests, Microsoft security researcher Jonathan Bar Or said in the blog post.

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” the researcher said.

Microsoft’s researchers also developed a proof-of-concept to demonstrate how the vulnerability could be exploited by changing the privacy settings on any particular app.

Apple has acknowledged the efforts made by the Microsoft team in its security document. The vulnerability is traced as CVE-2021-30970.

Affiliate links may be automatically generated – see our ethics statement for details.

Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2022 hub.

This article was originally published by Ndtv.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Circle to Search Could Soon Support Split Screen Mode on Pixel Phones: Report
Samsung Galaxy S23 FE to Be Discounted During Flipkart’s Big Saving Days Sale 2024
Lenovo Yoga 7i 2-in-1 Laptop Refreshed With Up to Intel Core Ultra 7 CPUs, Dedicated Copilot Key in India
WhatsApp Communities to Get New Events Feature, Replies to Announcement Groups
Apple CEO Tim Cook Talks About India in Q2 Earnings Call, Says It’s an ‘Incredibly Exciting Market’

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.