Security News > 2022 > January > Microsoft: powerdir bug gives access to protected macOS user data
Microsoft says threat actors could use a macOS vulnerability to bypass Transparency, Consent, and Control technology to access users' protected data.
The Microsoft 365 Defender Research Team has reported the vulnerability dubbed powerdir to Apple on July 15, 2021, via the Microsoft Security Vulnerability Research.
TCC is security tech designed to block apps from accessing sensitive user data by allowing macOS users to configure privacy settings for the apps installed on their systems and devices connected to their Macs, including cameras and microphones.
While Apple has restricted TCC access only to apps with full disk access and set up features to automatically block unauthorized code execution, Microsoft security researchers found that attackers could plant a second, specially crafted TCC database that would allow them to access protected user info.
Since the user could manipulate the $HOME environment variable, an attacker could plant a chosen TCC.db file in an arbitrary path, poison the $HOME environment variable, and make TCC.db consume that file instead. Bundle conclusion issue: First disclosed by Jamf in a blog post about the XCSSET malware family, this bug abused how macOS was deducing app bundle information.
Apple addressed the logic issue behind the powerdir security flaw bug with improved state management.