Microsoft said that attackers could use a macOS vulnerability to bypass Transparency, Consent, and Control (TCC) technology and gain access to protected user data.
Back in the summer of 2021, a research group informed Apple developers about a vulnerability dubbed powerdir (CVE-2021-30970). The bug is related to the TCC technology, which is designed to block applications from accessing sensitive user data. This allows macOS users to customize privacy settings for apps and devices connected to their Macs, including cameras and microphones.
While Apple has restricted access to TCC (only for apps with full disk access) and configured features to automatically block unauthorized code execution, Microsoft researchers have found that attackers could inject a second custom-built TCC database into the system, allowing them to gain access to a secure information.
The point is that TCC supports two types of databases – one for permissions that apply to a specific user profile, and the other for permissions that apply globally, system-wide, protected by System Integrity Protection (SIP), and are only available for applications with full disk access.
In fact, a user with full disk access can find the TCC.db file, which is a SQLITE database, view it, and even edit it. Thus, an attacker with full access to the TCC databases can grant arbitrary permissions to his malicious applications, which the user will not even know about.
Apple fixed this issue in December 2021 with the release of macOS 11.6 and 12.1.
CVE-2021-30970 is the third TCC bypass issue. Earlier in 2021, Apple fixed bugs CVE-2020-9934 and CVE-2020-27937, as well as the zero-day vulnerability CVE-2021-30713, which also allowed an attacker to gain full access to the disk, record data from the screen, and perform other actions without explicit user consent.
Let me remind you that we wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that Spy method NoReboot allows simulating iPhone shutdown and prying through the camera.