Blog Post

Ritelink Blog > News > FAQs > MacOS users should patch their systems now to protect against new powerdir vulnerability

MacOS users should patch their systems now to protect against new powerdir vulnerability

Following its discovery of the Shrootless vulnerability back in October 2021, Microsoft has uncovered a new macOS vulnerability that it says could be exploited to gain unauthorized access to a user’s data.

Tracked as CVE-2021-30970, the new “powerdir” flaw found by the Microsoft 365 Defender Research Team could allow an attacker to bypass the Transparency, Consent and Control (TCC) technology in Apple’s desktop operation system, the company wrote in a blog post.

First introduced back in 2012 on macOS Mountain Lion, TCC was created to help Mac users configure the privacy settings of their apps such as which ones have access to a device’s camera, microphone or location in addition to a user’s calendar or iCloud account.

To protect TCC, Apple introduced a feature that prevented unauthorized code execution and enforced a policy that restricts access to TCC only to apps with full disk access. There are actually two kinds of TCC databases under the hood in macOS and the user-specific database stores permissions types that only apply to a specific user profile while the system-wide database contains stored permission types that apply on a system level and can be accessed by users with root or full disk access.

Powerdir vulnerability

During its investigation into the matter, the Microsoft 365 Defender Research Team discovered that it was possible to programmatically change a target user’s home directory and plant a fake TCC database capable of storing the consent history of app requests.

If the powerdir vulnerability is exploited on unpatched systems, it could allow a malicious actor to potentially orchestrate an attack based on a user’s protected personal data. For instance, an attacker could hijack an app installed on a device or even install their own malicious app and access the microphone on a MacBook to record private conversations or capture screenshots of sensitive information displayed on a user’s screen.

This isn’t the first TCC vulnerability that has been discovered and subsequently patched. However, it was by examining one of the latest fixes that Microsoft came across powerdir. The company’s research team even had to update its proof-of-concept (POC) exploit because the initial version no longer worked on the latest version of macOS (Monterey).

After discovering the powerdir vulnerability, Microsoft shared its findings with Apple through Coordinated Vulnerability Disclosure (CVD) and Apple released a fix as part of a series of security updates released in December of last year. To prevent falling victim to any potential attacks, macOS users should download and apply the latest security updates as soon as possible.

Leave a comment

Your email address will not be published. Required fields are marked *