On January 11th, Microsoft disclosed a vulnerability in Apple's macOS that might let an attacker to get unauthorised access to protected user data by circumventing the operating system's Transparency, Consent, and Control (TCC) technology. On July 15, 2021, the Microsoft Security Vulnerability Research (MSVR) team disclosed its discovery to Apple's product security team. In a security update released on December 13, Apple fixed CVE-2021-30970, dubbed "Powerdir."
TCC is an Apple subsystem that was first introduced in macOS Mountain Lion in 2012. The technology was created to assist users in configuring the privacy settings of their device's applications, such as access to the camera or microphone, or access to their calendar or iCloud account.
Previously, apps could directly access TCC databases to see and even edit their contents. Apple made two adjustments in response to the possibility of bypass. First, Apple used System Integrity Protection (SIP) to safeguard the system-wide TCC.db, a macOS feature that prohibits illegal code execution. Second, Apple implemented a TCC policy requiring that only apps with full disk access can access the TCC.db files.
The vulnerability discovered by Microsoft would allow attackers to circumvent this feature and start an attack on a macOS device. When an app asks for access to protected user data, one of two things can happen: If the app and request type have a record in the TCC databases, a flag in the database entry indicates whether the request should be allowed or denied without the need for user intervention. If they do not have a record, the user is asked whether they want to allow or restrict access.
Researchers discovered that it is easy to programmatically modify a target's home directory and plant a bogus TCC database, which maintains the consent history of app requests, wrote Jonathan Bar, with the Microsoft 365 Defender Research Team, in a blog post on the findings. If abused on an unpatched system, this issue might allow an attacker to launch an attack using the victim's protected personal data, according to him.
This is the latest in a long line of TCC flaws fixed by Apple in recent years. Apple fixed CVE-2021-30713, a flaw that allowed attackers to bypass TCC protections and deliver XCSSET malware, last year. According to Jamf researchers who identified the problem, once on a machine, XCSSET used the bypass to take a screenshot of the user's desktop without requiring rights.
Other reported vulnerabilities linked to TCC bypass in the previous year included CVE-2020-9771 and CVE-2020-9934. Apple's remedy for the latter piqued Microsoft's interest, and during their investigation, the team found an exploit that an attacker could use to change settings on any app.