Following its discovery of the Shrootless vulnerability (opens in new tab) back in October 2021, Microsoft has uncovered a new macOS vulnerability that it says could be exploited to gain unauthorized access to a user's data.
Tracked as CVE-2021-30970 (opens in new tab), the new “powerdir” flaw found by the Microsoft 365 Defender Research Team could allow an attacker to bypass the Transparency, Consent and Control (TCC) technology in Apple's desktop operation system, the company wrote in a blog post. (opens in new tab)
First introduced back in 2012 on macOS Mountain Lion, TCC (opens in new tab) was created to help Mac users configure the privacy settings of their apps such as which ones have access to a device's camera, microphone or location in addition to a user's calendar or iCloud (opens in new tab) account.
To protect TCC, Apple introduced a feature that prevented unauthorized code execution and enforced a policy that restricts access to TCC only to apps with full disk access. There are actually two kinds of TCC databases under the hood in macOS and the user-specific database stores permissions types that only apply to a specific user profile while the system-wide database contains stored permission types that apply on a system level and can be accessed by users with root or full disk access.
During its investigation into the matter, the Microsoft 365 Defender Research Team (opens in new tab) discovered that it was possible to programmatically change a target user's home directory and plant a fake TCC database capable of storing the consent history of app requests.
If the powerdir vulnerability is exploited on unpatched systems, it could allow a malicious actor to potentially orchestrate an attack based on a user's protected personal data. For instance, an attacker could hijack an app installed on a device or even install their own malicious app and access the microphone on a MacBook (opens in new tab) to record private conversations or capture screenshots of sensitive information displayed on a user's screen.
This isn't the first TCC vulnerability that has been discovered and subsequently patched. However, it was by examining one of the latest fixes that Microsoft came across powerdir. The company's research team even had to update its proof-of-concept (POC) exploit because the initial version no longer worked on the latest version of macOS (Monterey (opens in new tab)).
After discovering the powerdir vulnerability, Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) and Apple released a fix as part of a series of security updates (opens in new tab) released in December of last year. To prevent falling victim to any potential attacks, macOS users should download and apply the latest security updates as soon as possible.