iOS vuln leaves user data dangerously exposed
A bypass flaw in the FileProvider Transparency, Consent and Control (TCC) subsystem within Apples iOS operating system could leave users data dangerously exposed, according to researchers at Jamf Threat Labs.Assigned CVE-2024-44131, the issue was successfully patched by Apple in September 2024 and Jamf, whose researchers are credited with its discovery, is formally disclosing it today. It also affects macOS devices, although Jamfs researchers have focused on the mobile ecosystem since these estates are more often neglected during updates.CVE-2024-44131 is of particular interest to threat actors because if successfully exploited, it can enable them to access sensitive information held on the target device, including contacts, location data and photos.TCC is a critical security framework, the Jamf team explained, which prompts users to grant or deny requests from specific applications to access their data, and CVE-2024-44131 enables a threat actor to sidestep it completely if they can convince their victim to download a malicious app.This discovery highlights a broader security concern as attackers focus on data and intellectual property that can be accessed from multiple locations, allowing them to focus on compromising the weakest of the connected systems, said the team.Services like iCloud, which allow data to sync across devices of many form factors, enable attackers to attempt exploits across a variety of entry points as they look to accelerate their access to valuable intellectual property and data.Open to abuseThis is not the first time that Apple's TCC subsystem has been shown to be at risk of compromise. Earlier in 2024, Cisco Talos researchers detailed eight vulnerabilities in Microsoft applications, including Excel, PowerPoint and Teams, that enable a threat actor to exploit TCC by abusing the applications' enhanced privileges to slip a malicious code library into the application's running space. The researcher who discovered it said that because Apple's operating systems trust applications to self-police their permissions, a failure in this responsibility effectively breaks down the entire permission model.At the core of the problem sits the interaction between the Apple Files.app and the FileProvider system process when managing file operations.In the exploit demonstrated, when an unwitting user moves or copies files or directories with Files.app within a directory that the malicious app running in the background can access, the attacker gains the ability to manipulate a symbolic link, or symlink a file that exists solely specify a path to the target file.Usually, file operation APIs will check for symlinks, but they usually appear at the final portion of the path prior to beginning the operation, so if they appear earlier which is the case in this exploit chain the operation will bypass these checks.In this way, the attacker can use the malicious app to abuse the elevated privileges provided by FileProvider to either move or copy data into a directory they control without being spotted. They can then hide these directories, or upload them to a server they control.Crucially, said the Jamf team, this entire operation occurs without triggering any TCC prompts.The most effective defence against this flaw is to apply the patches from Apple, which have been available for a couple of months. Security teams may also wish to implement additional monitoring of application behaviour and endpoint protection.Jamfs strategy vice president Michael Covington warned that because the updates also included support for Apple Intelligence, a series of artificial intelligence (AI) features for iOS devices, wariness around this feature might have led some organisations to hold off applying the updates with the necessary patch, leaving the attack vector open to exploitation.This discovery is a wake-up call for organisations to build comprehensive security strategies that address all endpoints, said the team.Mobile devices, as much as desktops, are critical parts of any security framework.Extending security practices to include mobile endpointsis essential in an era where mobile attacks are increasingly sophisticated.Read more about Apple securityIt can be difficult for Apple admins to adapt to every new OS release and the respective compliance changes. Thats where the macOS Security Compliance Projectcomes into play.There are lots of universal security controls that can apply to any type of desktops, but IT teams need to look at the specific features native to desktopssuch as macOS.Macs are known for their security, but that doesn't mean they're safe from viruses and other threats. IT teams can look into third-party antivirus toolsto bolster macOS security.