Microsoft highlights macOS vulnerability, Apple issues fix
Know the threat, patch the threat.
What you need to know
- Every OS gets hit with threats, and macOS is no exception.
- A recent vulnerability dubbed "powerdir" was caught by Microsoft, which released a blog post explaining what the threat was.
- Powerdir has already been addressed and patched by Apple, so you just need to make sure you're updated in order to stay safe.
Though Windows has its own laundry list of vulnerabilities and security issues, macOS isn't perfect either. Take, for example, the recent "powerdir" vulnerability that left the door open for attackers to gain access to Mac users' personal data.
Before digging into the nitty-gritty of powerdir, it's worth noting that Apple's already patched the vulnerability (and credited Microsoft), so if you haven't downloaded security updates for a few weeks, you should. You can read the full scoop on macOS updates over at Apple's patch notes (opens in new tab).
Now that the issue's fixed, Microsoft has taken to its blog (opens in new tab) to publicly dissect powerdir and give those interested in its inner workings a better understanding of the vulnerability. It had the power to "allow an attacker to bypass the operating system's Transparency, Consent, and Control (TCC) technology, thereby gaining unauthorized access to a user's protected data," according to the blog.
You're going to need technical knowledge to understand the bulk of Microsoft's post on the subject, so either be prepared to Google (or, heh, Bing) a lot or come prepared with knowledge of what a hexadecimal blob is.
Microsoft's post, beyond just explaining the danger, gives useful examples of the threat posed by powerdir. It shows the vulnerability giving an attacker the ability to enable camera and microphone access in any app, including Microsoft Teams. It also addresses the history of TCC dangers and how powerdir is far from the only one.
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to firstname.lastname@example.org.
Good Guy Microsoft
Microsoft approaches here is far more respectful than how Google approaches publishing vulnerabilities for other companies. Even Apple thanked Microsoft for this.
Google's approach is transparently deployed to serve business interest. I guess they feel that Microsoft, their chief rival and target, has a much larger "legacy" software estate, giving them (Google) the structural advantage when using such a "name and shame" cudgel approach to security research.
Eh.. they are still scummy
Apple wouldn't do the same.