Microsoft warns of macOS privacy bug, urges users to update

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

In a bit of a turnaround, Microsoft has warned Apple macOS users to update their devices to the latest patch level, after the company disclosed a bug in Apple’s Transparency, Consent, and Control (TCC) technology which could allow attackers to install spyware.

The so-called “powerdir” vulnerability (CVE-2021-30970) was discovered by Microsoft and disclosed to Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and allows attackers to spoofย  the Transparency, Consent, and Control feature.

TCC is a technology dating to 20212 which is designed to prevent apps from accessing usersโ€™ personal information without their prior consent and knowledge.

โ€œWe discovered that it is possible to programmatically change a target userโ€™s home directory and plant a fake TCC database, which stores the consent history of app requests. If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the userโ€™s protected personal data. For example, the attacker could hijack an app installed on the deviceโ€”or install their own malicious appโ€”and access the microphone to record private conversations or capture screenshots of sensitive information displayed on the userโ€™s screen.โ€, said Microsoft in a blog post.

Apple released a fix for the issue on the 13th December 2021 and Microsoft is urging macOS users to apply the patches as soon as possible.

via ToI

User forum

0 messages