Microsoft Uncovers Safety Flaw In macOS Highlight That May Leak Non-public Information

Microsoft’s Menace Intelligence group has identified a now-fixed safety vulnerability in Apple’s macOS Highlight search instrument that might have allowed unauthorized entry to delicate person knowledge. The problem, internally dubbed “Sploitlight”, stemmed from how Highlight dealt with plugin recordsdata and probably bypassed Apple’s privateness safety framework often known as Transparency, Consent, and Management (TCC).

The flaw made it doable for attackers to take advantage of Highlight’s plugin system—parts that usually assist index app content material for search and are confined inside a sandbox setting. Nevertheless, Microsoft’s researchers found a technique to control these plugins to realize entry to cached knowledge generated by Apple’s AI options.

If exploited, the vulnerability might have uncovered a variety of personal data, together with:

Exact location knowledge
Picture and video metadata
Facial recognition knowledge from the Photographs app
Search historical past
Summaries generated by AI instruments, resembling electronic mail content material
Person preferences and settings

Regardless of the intense implications, Microsoft confirmed that the vulnerability was not actively exploited. Following accountable disclosure practices, the corporate reported its findings to Apple, which rapidly addressed the difficulty.

Apple launched a repair as a part of macOS 15.4 and iOS 18.4, each rolled out on March 31. In accordance with Apple’s safety documentation, the patch concerned bettering how the system handles sure forms of knowledge, serving to to make sure stricter management over plugin habits. Alongside the Highlight repair, Apple additionally resolved two further vulnerabilities reported by Microsoft—one associated to symbolic hyperlink validation and one other involving system state administration.

This incident underscores the significance of cross-company collaboration in addressing rising safety threats, particularly as platforms proceed to combine AI and machine studying options. It additionally highlights the worth of standard system updates, as many vulnerabilities are addressed quietly behind the scenes.

For finish customers, no motion is required past making certain that gadgets are updated. The problem has been resolved, and Apple’s fast response prevented the vulnerability from being weaponized in real-world assaults.

Filed in Apple >Computers. Learn extra about Apple, Cybersecurity, macOS, Microsoft, Privacy and Security.