Sploitlight
Microsoft Threat Intelligence (MacRumors):
Microsoft Threat Intelligence has discovered a macOS vulnerability that could allow attackers to steal private data of files normally protected by Transparency, Consent, and Control (TCC), such as files in the Downloads folder, as well as caches utilized by Apple Intelligence. While similar to prior TCC bypasses like HM-Surf and powerdir, the implications of this vulnerability, which we refer to as “Sploitlight” for its use of Spotlight plugins, are more severe due to its ability to extract and leak sensitive information cached by Apple Intelligence, such as precise geolocation data, photo and video metadata, face and person recognition data, search history and user preferences, and more. These risks are further complicated and heightened by the remote linking capability between iCloud accounts, meaning an attacker with access to a user’s macOS device could also exploit the vulnerability to determine remote information of other devices linked to the same iCloud account.
[…]
On modern macOS systems, Spotlight plugins are not even permitted to read or write any file other than the one being scanned. However, we have concluded that this is insufficient, as there are multiple ways for attackers to exfiltrate the file’s contents.
[…]
Change the bundle’s Info.plist and schema.xml files to declare the file types they wish to leak in UTI form. Since we assume an attacker runs locally, this is always possible to resolve, even for dynamic types.
Copy the bundle into ~/Library/Spotlight directory. Note the bundle does not need to be signed at all.
In recent years, Microsoft security researchers have found multiple other severe macOS vulnerabilities, including a SIP bypass dubbed ‘Shrootless’ (CVE-2021-30892), reported in 2021, which enables attackers to install rootkits on compromised Macs.
More recently, they discovered a SIP bypass dubbed ‘Migraine’ (CVE-2023-32369) and a security flaw named Achilles(CVE-2022-42821), which can be exploited to install malware using untrusted apps that bypass Gatekeeper execution restrictions.
Last year, they reported another SIP bypass flaw (CVE-2024-44243) that lets threat actors deploy malicious kernel drivers by loading third-party kernel extensions.
Apple failed to fix this so many times. I first reported this back in macOS Big Sur, and it’s literally detailed in my EXP-312 course in “Bypass TCC via Spotlight Importer Plugins”
Then I reported it again and was fixed as CVE-2024-54533.
Looks like it still wasn’t fixed properly.
See also: Howard Oakley.
Previously:
3 Comments RSS · Twitter · Mastodon
Not that this isn't serious - and thanks for the heads-up, I guess - but should the microsoft guys really be spending their time looking for other companies' vulnerabilities?
Threat intel analysts generally follow a lead that was obtained from somewhere and don't necessarily only look into their own software (that's for devs to do).
These analysts from numerous companies are doing very honorable work keeping us all safe, most of the time it is not for the direct benefit of the company they represent, but for the knowledge that accumulates within these teams or to enhance capabilities of other services (SOC, or endpoint security) or services (incident response).
Microsoft writes software for the Mac, most notable the Office suite and especially Outlook which many people are forced to use.
Ironically considering their testing methods and the fact they fired almost all their trained software beta testers, they seem to have strong security teams.
Google does the same thing for the same reasons.
With regard to the exploit itself, Spotlight seems like a good target and combined with Apple scrambling to show some use for Apple Intelligence, that clearly makes it an even better target as it's something new they've developed in a hurry. Which even sounds like a recipe for security vulnerabilities.
