Sign in / up

back to article macOS HM Surf vuln might already be under exploit by major malware family

In revealing details about a vulnerability that threatens the privacy of Apple fans, Microsoft urges all macOS users to update their systems. The bug, tracked as CVE-2024-44133 (CVSS 5.5) and patched in September's macOS Sequoia updates, is believed to be potentially exploited by the Adloader macOS malware family, Microsoft's …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Del Varner

    Why I like my Mac Mini

    "A successful exploit could potentially allow an attacker to take photos using a device's camera, record audio from its microphone, disclose the user's location, and more."

    My mini has no microphone hooked up (is there a secret one in the hardware?), and there is no camera.

    10 2 Reply
    1. Stuart Castle
      Reply Icon

      Re: Why I like my Mac Mini

      Ideally, I'd like to see webcams become optional extras again, but if that isn't feasible, i'd like to see a minimum standard of security introduced into Webcam design. I'd like to see the webcams designed so they have a physical lens cover, or retract into the monitor, and when the cover is on, or the device is retracted, the connection to the device is physically broken. The mechanism should be a simple switch that disengages when appropriate.. Nothing that can be changed by software.

      But, that would add several pence to the build cost of the webcam, and we can't have that.

      4 0 Reply
    2. Stuart Castle
      Reply Icon

      Re: Why I like my Mac Mini

      When we went into lockdown, I was given a laptop. This laptop was a generic one, and while it was nice, it was nowhere near powerful enough for my job (I made heavy use of VMs at the time)., and we did not have the money to buy a laptop that was.

      So, I used my own machine. As part of working from home, my boss wanted me to have a webcam. I always refused. Why? Because it was my PC, and it was in my bedroom. I didn't want hackers potentially being able to see and hear my private space. I still don't have a webcam on that machine, and usually no microphone on it.

      2 3 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Why I like my Mac Mini

        Bosses request for a video call and your needs for a more powerful computer are not mutually exclusive. Why couldn’t you just fire up the laptop when required and use the webcam and Teams(?)

        If you were my employee you’d be ordered back to the office and the privilege of working from home removed from you.

        1 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Why I like my Mac Mini

          Ok, boomer.

          There's ZERO need for anybody I'm working with to see my face. I don't do video calls. I might need to show somebody something, I might need to see their screen, but I don't need to see their face and they don't get to see mine.

          But hey, you reminded me that I haven't gotten around to stickering the cam on my new laptop. I'll do that now, I don't want the camera to work, EVER.

          0 0 Reply
  2. Stu J

    Although it's delightfully altruistic of Microsoft to help Apple out by pointing out vulnerabilities in Safari, one would have thought it would be a far better use of their time to work on the security posture of their own malodorous software instead...

    21 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      .. but that would be hard work and go against their usual approach: distract you. Focusing on others thus serves a dual function, which is in itself unusually efficient for Microsoft.

      11 4 Reply
    2. Stuart Castle
      Reply Icon

      Microsoft have been pointing out vulnerabilities in other people's software for a long time. In some ways, I think it is good. After all, if a vulnerability is more visible, it's more likely to be fixed. But I think there is also a hint of Microsoft saying "See, their software is vulnerable too!".

      4 0 Reply
  3. Dr. G. Freeman

    Wonder when they're going to get round to fixing the bug on Sequoia that stuffed up USB flash drives ?

    Only been reported for ohhh, four months.

    The IQ50 "geniuses" say use icloud, I would if I could get the information off the flash drive.

    10 4 Reply
    1. GraXXoR
      Reply Icon

      That bug has existed since well before sequoia. I noticed it as far back as Catalina at least where certain USB drives of mine ( not all of them, strangely) would just disconnect randomly on my main Mac or transfer data at some ridiculously low speed, throw random errors or just lock the machine up.

      You could argue that there’s a problem with the affected USB cases’ interface, but none of my High Sierra Macs or even my Windows PCs have any problems.

      Anyway, this has nothing to do with the article so not entirely sure why you brought it up.

      1 0 Reply
  4. Dan 55 Silver badge

    "Safari has an entitlement that allows it to bypass all TCC protections"

    There's your problem right there.

    A browser is probably the piece of software which most needs protection against unauthorised access to location, microphone, and webcam but the built-in one doesn't get it so as not to pop up warnings and scare off users. Presumably Apple have worked out fewer and fewer people bother with Safari on desktop...

    19 1 Reply
    1. Charlie Clark Silver badge
      Reply Icon
      Thumb Up

      Re: "Safari has an entitlement that allows it to bypass all TCC protections"

      Yep, this is precisely the same vector that ActiveX exploits were able to use in Internet Explorer. This is an anti-pattern when it comes to security but is necessary due to Apple's dumbing down of MacOS so that it also works for I-Phones.

      3 1 Reply
  5. tip pc Silver badge

    Defender for Mac?

    Since when has Defender been a thing for Mac? is that one of those things that corps use as their MDM offering?

    XProtect is the built in antimalware tool.

    https://support.apple.com/en-gb/guide/security/sec469d47bd8/web

    https://eclecticlight.co/2024/09/25/how-xprotect-has-changed-in-macos-sequoia/

    XProtect update should stop any malicious exploit, OS updates fix the vulnerability

    5 2 Reply

  6. This post has been deleted by its author

  7. DS999 Silver badge

    That's really stupid

    the config files in the Safari browser directory, where its TCC-related files are kept

    WTF? Why would you keep security related settings in a place users can modify them? If it requires 'root' access that's fine, you expect a root user to be able to mess with things. But I assume this is something being done as a normal user, and they aren't talking about the browser INSTALL directory but the browser CONFIG directory, i.e. stuff kept in each user's home directory.

    0 0 Reply
  8. MachDiamond Silver badge

    I lied

    Only my iMac has a camera and it has a piece of tape over it. The microphone has been physically disabled. All of the other macs I use don't have cameras, mics or something to report fix a location. My laptop is taped off and it's not often online when I use it when I'm out and about.

    With no InstaPintaXittFace accounts, I don't have any need for cameras and mics. If I did need them, I can hook up external devices and use a much better microphone and camera with more optimum placement (not looking up my nostrils and picking up sound from the whole room). The lack of this need has prompted me to remove the ability for just such an emergency.

    3 2 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: I lied

      If somebody wants to video chat with me, I'll dig up the endoscope cam and they can have a really good look up my nose.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like