Microsoft details macOS vulnerability that allowed protected data access

Published on Monday, the blog by the Microsoft 365 Defender Research Team explains the details behind the Powerdir vulnerability. The discovery could allow attackers to "bypass the operating system's Transparency, Consent and Control (TCC) technology" allowing access to protected user data.

TCC was introduced by Apple to macOS Mountain Lion in April 2012, and is designed to help users configure privacy settings for apps. For example, it would enable or deny access to onboard cameras and microphones, a user's calendar, or an iCloud account.

As a means to protect TCC, Apple also included a feature to prevent unauthorized code execution, as well as adding a policy restricting access to TCC only to apps with full disk access.

In its lengthy explanation, Microsoft says it managed to work out how to change a user's home directory to plant a fake TCC database. An attacker could then use the database change to perform an attack on elements that would otherwise be protected by TCC normally.

This could involve an attacker taking over an app already installed on the Mac, or installing one of their own, and in turn accessing the user's data. It could also feasibly be used to gain access to a connected camera or mic, to actively spy on the user.

Microsoft responsibly disclosed the discovery with Apple, which led to the creation of a fix. Apple patched the exploit as part of its update to macOS 12.1 on December 13.

It is unclear exactly how severe the vulnerability is to exploitation, but a reading suggests the risk is reasonably low for most users. Changing the home directory would normally require local access, or pairing with some form of mechanism that grants a level of control for it to work remotely, and it is prevented for anyone who regularly updates their Mac anyway.

How to protect yourself

As macOS Monterey 12.1 is protected from the issue, the simple answer is to update macOS to the latest version. Apple also released an update at the same time for macOS Big Sur 11.6.2, so older Macs that don't support Monterey can be protected from the problem.

It is generally good practice to update all Macs to the latest supported operating system update, as soon as possible after its release.