When Apple released macOS Sequoia last month, it added new features like window alignment and the ability to control your iPhone from your Mac. However, in addition to surface-level changes, the new update also introduced a long line of patches for security issues. Coincidentally, one of these vulnerabilities was discovered by none other than Microsoft, and this is quite concerning for Macs used within organizations.
How Safari’s TCC error works
Microsoft detailed its findings in a blog post on October 17, about a month after the release of macOS Sequoia on September 16. The company calls the error ‘HM Surf’, named after the learnable move in the Pokemon series, which they discovered allows bad actors to bypass Apple’s Transparency, Consent, and Control Platform for Safari. TCC typically prevents apps from accessing services like your location, camera, or microphone without proper permission. It’s essential for protecting your privacy from apps that might otherwise want to abuse it.
However, Apple gives some of its own apps permissions that allow them to bypass these TCC roadblocks. After all, it’s Apple’s app, so the company knows it’s not malicious. In the case of Safari, Microsoft discovered that the app can access your Mac’s address book, camera and microphone, among other things, without having to go through TCC checks first.
That said, you’ll still encounter TCC checks when you use Safari on different websites: that’s what happens when you load a page and a popup asks if you want to give the site access to, say, your camera. These TCC settings per website are saved in a folder on your Mac under ~/Library/Safari.
This is where the exploit comes in: Microsoft has discovered that you can change this folder to a different location, which will remove the TCC protections. You can then change sensitive files in the real home folder and then move the folder back so that Safari picks up the changed files you put in the right place. Congratulations: you can now bypass TCC protections, take a photo with the Mac’s webcam, and access machine location data.
Microsoft says there are a number of actions bad actors could take in this situation, including saving the webcam photo somewhere they can access it later; record video from your webcam; stream audio from your microphone to an external source; and run Safari in a small window so that you don’t notice its activity. Importantly, third-party browsers are not affected by this as they have to deal with Apple’s TCC requirements and do not have Safari’s rights to bypass them.
While Microsoft found suspicious activity during its investigation that could indicate this vulnerability has been exploited, it cannot say for sure.
This vulnerability only affects MDM-managed Macs
After reading Microsoft’s report, you may be concerned about the prospect of bad actors snooping around your Mac through Safari. What is not made explicit here, however, is that this vulnerability only affects MDM-managed Macs, that is, Macs that belong to organizations managed by a central IT service. That includes Macs you get from work, or a computer from your school.
Apple confirms this in its security notes for macOS Sequoia, in a fairly short post, taking into account the privacy and security implications:
Credit: Apple
Of course, the error is still serious, but it is much more limited. You don’t have to worry about Safari on your personal Mac giving hackers access to your webcam, microphone and location. But if you have a work or school Mac that is managed with MDM, that’s a problem and you should install the update as soon as possible.
Fix the problem on your MDM-managed Mac
This error affects the following Macs: Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later) and iMac Pro (2017 and later).
Your organization may have already released the update for your Mac, if it is eligible. However, if your machine isn’t running macOS Sequoia, check with your company or school IT to see when an update will become available.
