DMN Security Bite is proudly presented by Mosyle, the premier Apple Unified Platform. Our mission is to ensure Apple devices are ready for work and secure for enterprises. We offer a unique, integrated approach to management and security, combining advanced Apple-specific security measures for fully automated Hardening & Compliance, Next Generation EDR, AI-based Zero Trust, and exclusive Privilege Management with the most robust and modern Apple MDM available. The outcome? A fully automated Apple Unified Platform, trusted by over 45,000 organizations, making millions of Apple devices work-ready effortlessly and affordably.Request your EXTENDED TRIAL today and discover how Mosyle is everything you need for Apple operations.
Last week, I received a compelling report from the security research division of the well-known Apple device management company Jamf, outlining a serious vulnerability in iOS and macOS. This finding was under an embargo, but I can now share it with you.
Jamf Threat Labs identified a critical vulnerability within Apple’s iOS Transparency, Consent, and Control (TCC) subsystem on both iOS and macOS that could permit malicious applications to access sensitive user data unnoticed, without generating any notifications or requiring user consent.
In Apple’s ecosystem, TCC serves as a crucial security framework, prompting users to allow, limit, or deny app requests for access to sensitive information. Users typically encounter these prompts when opening apps for the first time. However, a TCC bypass vulnerability can occur if this control mechanism fails, allowing applications to access personal data without the user’s explicit consent or even knowledge.
The recently discovered vulnerability, labeled CVE-2024-44131, affects the Files.app and FileProvider.framework system processes, potentially disclosing users’ private details, including photos, GPS locations, contacts, and health data. Furthermore, Jamf indicates it might enable malicious applications to gain access to a user’s microphone and camera, entirely undetected.
How it operates
Jamf’s research team discovered that the potential bypass involved symlinks exploiting file operation handling within iOS. By cleverly inserting a symlink during a file copy process, a malicious app can intercept and redirect file movements without raising a TCC prompt.
“When a user moves or copies files within Files.app, a background malicious application can intercept these actions and redirect files to other locations controlled by the app,” the Jamf Threat Labs report states. “Taking advantage of fileproviderd’s elevated privileges, the malicious app can hijack file transfers without triggering a TCC alert. This exploitation could occur in an instant, completely unnoticed by the end user.”
The most concerning aspect of this vulnerability is its capacity for covert data access. Since no TCC prompts occur, users remain unaware that their information is being accessed or transferred to a directory under the control of an attacker.
Files stored in iCloud are particularly at risk, especially those found in paths like /var/mobile/Library/Mobile Documents/. This includes, besides photos or files, data originating from applications such as WhatsApp, Pages, and other cloud-synced apps.
It’s currently unclear whether this vulnerability was being actively exploited. Jamf promptly alerted Apple, which implemented a patch in the initial release of iOS 18 and macOS 15 in September.
You can view the complete research by Jamf Threat Lab here.
Further Information on Apple Security
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We utilize income-earning auto affiliate links. More.
