Microsoft Researchers Detail macOS Vulnerability That Could Let Attackers Gain User Data

Must read

How to Install Multiple Apps at Once on Your Windows PC

The feeling of having a new PC is great. What's not great is that you need to install all the essential apps...
Bhawani Singh
I am a blogger who believes in delivering latest tech news from around the world to my viewers.

Microsoft has detailed a vulnerability that existed in macOS which could allow an attacker to bypass its inbuilt technology controls and gain access to users’ protected data. Dubbed “powerdir,” the issue impacts the system called Transparency, Consent, and Control (TCC) that has been available since 2012 to help users configure privacy settings of their apps. It could let attackers hijack an existing app installed on a Mac computer or install their own app and start accessing hardware including microphone and camera to gain user data.

As detailed on a blog post, the macOS vulnerability could be exploited by bypassing TCC to target users’ sensitive data. Apple notably fixed the flaw in the macOS Monterey 12.1 update that was released last month. It was also fixed through the macOS Big Sur 11.6.2 release for older hardware. However, devices that are using an older macOS version are still vulnerable.

Apple is using TCC to help users configure privacy settings such as access to the device’s camera, microphone, and location as well as services including calendar and iCloud account. The technology is available for access through the Security & Privacy section in System Preferences.

On top of TCC, Apple uses a feature that is aimed to prevent systems from unauthorised code execution and enforced a policy that restricts access to TCC to only apps with full disk access. An attacker can, though, change a target user’s home directory and plant a fake TCC database to gain the consent history of app requests, Microsoft security researcher Jonathan Bar Or said in the blog post.

“If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” the researcher said.

Microsoft’s researchers also developed a proof-of-concept to demonstrate how the vulnerability could be exploited by changing the privacy settings on any particular app.

Apple has acknowledged the efforts made by the Microsoft team in its security document. The vulnerability is traced as CVE-2021-30970.

Affiliate links may be automatically generated – see our ethics statement for details.

Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2022 hub.

Source link

More articles

Leave a Reply

Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

- Advertisement -

Latest article

Minecraft shaders [January 2022]: Best shaders packs for Minecraft, how to install them

Minecraft has a signature look with square lo-fi character models, trees, clouds, and more as the world is made of blocks. If you...

Microsoft to Buy Activision Blizzard in All-Cash Transaction Valued at $68.7 Billion

Microsoft said on Tuesday it would buy videogame publisher Activision Blizzard in an all-cash transaction valued at $68.7 billion (roughly Rs. 512,362 crores),...

Samsung Galaxy S22 Plus Renders, Specifications Tipped; Galaxy Tab S8 Series Specifications Surface Online

Samsung Galaxy S22 series is tipped to launch sometime next month. Now a tipster suggests that upcoming flagship smartphones from Samsung will launch...

Samsung Galaxy S21 FE 5G Review: Wait for a Price Drop

The ‘Fan Edition' or FE series from Samsung was designed to offer enthusiast users flagship-grade smartphone features at mid-range prices. Samsung nailed it with...

Your favorite Android versions are the most recent ones

Eric Zeman / Android AuthorityThere have been loads of Android versions over the years since the original 1.0 release, with each bringing important...
- Advertisement -