Microsoft Threat Intelligence on Oct. 17 warned security teams that Microsoft Defender for Endpoint detected that Adload malware exploited a previously patched macOS vulnerability.
Referred to as the HM Surf vulnerability, the flaw — CVE-2024-44133 — lets attackers bypass the transparency, consent, and control (TCC) protections for the Safari browser directory, giving attackers unlimited access to all the most sensitive data such as cameras, microphones, and user locations.
The Microsoft researchers said Apple released a fix for this vulnerability Sept. 16 as part of security updates for macOS Sequoia 15. Because Microsoft Defender detected active exploitation, Microsoft Threat Intelligence advises security teams to patch HM Surf as soon as possible.
“The macOS HM Surf vulnerability is a serious concern because of the unauthorized access it gives,” said Xen Madden, cybersecurity expert at Menlo Security. “But by the looks of it, most EDR tools will detect it, especially since Microsoft Defender detected it.”
Madden added that for large companies that have software to do behavioral detections, this won't have any real effect as they will be protected against this. However, Madden said security teams should prioritize updating all macOS devices, actively monitor for suspicious activity, and leverage behavioral-based detection tools to identify and respond to potential threats.
Ted Miracco, chief executive officer of Approov, pointed out that Safari’s elevated privileges gift attackers with a powerful unique pathway to bypass TCC security.
“Safari's preferential treatment highlights a broader issue with how Apple restricts security innovations from other developers, creating a de facto monopoly that can backfire, as seen with this flaw,” said Miracco. “This incident exposes the danger of Apple's tightly controlled security model. Apple claims that its ‘built-in’ security features negate the need for third-party solutions can lead to a false sense of security for users.”
Miracco added that while Apple’s security measures do prevent many types of exploits, vulnerabilities like CVE-2024-44133 demonstrate that no single vendor has a perfect security track record.
