Overview of the Issue

Apple has released security patches for iOS 18, iPadOS 18, and macOS Sequoia 15 to fix a problem that could allow certain apps to gain access to sensitive data without users knowing. This problem, identified as CVE-2024-44131 and rated 5.3 on the CVSS scale, was found in the FileProvider component. Attackers could use it to get around the Transparency, Consent, and Control (TCC) system, which is supposed to let users decide whether apps can see important data.

You might be interested in: Critical ICS Vulnerabilities This Week Demand Immediate Attention

How the Vulnerability Worked

The issue was discovered by Jamf Threat Labs. According to their findings, a harmful app already on the device could secretly gather private data. TCC is meant to show alerts and request user approval before apps access sensitive information like photos, contacts, and location. But with this vulnerability, attackers could get to files, folders, Health data, and even use the microphone or camera without the user being warned.

Exploiting File Moves in Files App

This bug allowed a malicious background app to watch when a user moved or copied files in the Files app. The attacker could then redirect those file actions to a place under their control. By doing this, the malicious app could move those files to its own storage area and then send them off to a remote server.

Trick Through Symlinks

The key to this attack was taking advantage of symbolic links (symlinks). Normally, symlinks are checked to prevent misuse. However, the attacker would start by copying a harmless file. Once that process began, they would create a symlink at just the right time. This trick bypassed the usual checks and let the attacker move or copy files from “/var/mobile/Library/Mobile Documents/”. This location includes iCloud backup data from both Apple’s own apps and third-party apps, allowing the attacker to steal valuable information.

Impact on User Trust and Data Access

This vulnerability is dangerous because it completely bypassed the TCC system without showing any prompts. The level of harm depended on which process was targeted. Not all types of data could be taken, since some folders have random names or need certain system calls. Still, enough data could be accessed to damage user trust and put personal information at risk.

Apple’s Fixes and Other Updates

Apple says it fixed this problem by improving how symlinks are checked in the affected operating systems. Alongside this fix, Apple also patched other bugs. Among them were four flaws in WebKit that could cause memory problems or crashes, and a logic issue in Audio (CVE-2024-54529) that could let an app run code with kernel-level power.

Apple also addressed a problem in Safari (CVE-2024-44246) that could expose the origin IP address of a website in a user’s Reading List, even if Private Relay was turned on. The company fixed it by improving how Safari requests are handled.

Conclusion

With these updates, Apple aims to restore user trust and close the gap that allowed harmful apps to slip past TCC’s checks. By addressing these issues, Apple continues to strengthen its operating systems against emerging threats and keeps user data more secure.