By rssfeeds-admin By exploiting a private API within the ScreenReader.framework ,a core component of the VoiceOver accessibility feature malicious actors can gain unauthorized access to sensitive user data.
The Vulnerability: Flawed Trust Verification
The flaw resides in the system MIG service com.apple.scrod. This service is designed to handle screen reader operations and possesses powerful TCC entitlements, including permissions to access Apple Events, the microphone, and sensitive documents.
The vulnerability exists in how the service verifies if a client application is “trusted” before executing commands.
Specifically, the service uses a routine isTrusted to check the identity of the program requesting access.
However, instead of securely checking the client’s audit token (a secure identifier), the system uses the API SecStaticCodeCreateWithPath. This method checks the program’s file path rather than the running process itself.
This creates a critical security gap: the system validates the file on the disk, not the actual code running in memory.
Attackers can exploit this verification flaw using a Time-of-Check to Time-of-Use (TOCTOU) attack. By swapping a legitimate, Apple-signed application with a malicious one during verification, an attacker can trick the system into granting elevated permissions.
Additionally, because the check relies on code signatures like “anchor apple” (meaning signed by Apple), attackers can inject malicious code (e.g., a .dylib payload) into a genuine Apple binary.
For instance, a simple command-line instruction could inject code into a trusted system process without requiring root privileges.
Once trusted, the attacker can execute arbitrary AppleScripts to control the Finder or other apps, effectively bypassing TCC to steal data.
Apple has addressed this vulnerability in macOS 26.2. The patch introduces a stricter verification method.
Now, the system checks for a specific entitlement—com.apple.private.accessibility.scrod directly from the client’s audit token.
This ensures that only legitimate, authorized processes can access the service, rendering file-path-based spoofing and TOCTOU attacks ineffective.
| Feature | Details |
|---|---|
| CVE ID | CVE-2025-43530 |
| Vulnerability Type | TCC Bypass / Privilege Escalation |
| Affected Component | ScreenReader.framework (VoiceOver) |
| Impact | Unauthorized access to sensitive user data (Microphone, Documents) |
| Exploit Vector | Private API abuse via MIG service com.apple.scrod |
| Fixed Version | macOS 26.2 |
| Severity | High |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post New macOS TCC Bypass Vulnerability Allows Attackers to Access Sensitive User Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.