JVN#42691027
"direct" Desktop App for macOS fails to restrict access permissions
Overview
"direct" Desktop App for macOS provided by L is B Corp. fails to restrict access permissions.
Products Affected
- "direct" Desktop App for macOS ver 2.6.0 and earlier
Description
"direct" Desktop App for macOS provided by L is B Corp. fails to restrict access permissions (CWE-284).
The access control mechanism provided by macOS "TCC (Transparency Consent and Control)" may be bypassed.
Impact
Camrea, microphone, etc. of the device where the product is installed may be used without the user's consent. As a result, the recorded image/audio data may be obtained.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Note that the existence of the vulnerability has not been confirmed in the App's Windows version, but as it is using a similar mechanism as the Mac version, an update has been released for it as well.
Vendor Status
| Vendor | Link |
| L is B Corp. | "direct" Desktop App fails to restrict access permissions - direct status (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Koh M. Nakagawa of FFRI Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-41775 |
| JVN iPedia |
JVNDB-2023-000092 |