Microsoft’s Risk Intelligence workforce has identified a now-fixed safety vulnerability in Apple’s macOS Highlight search software that might have allowed unauthorized entry to delicate consumer information. The problem, internally dubbed “Sploitlight”, stemmed from how Highlight dealt with plugin recordsdata and probably bypassed Apple’s privateness safety framework referred to as Transparency, Consent, and Management (TCC).
The flaw made it doable for attackers to take advantage of Highlight’s plugin system—parts that usually assist index app content material for search and are confined inside a sandbox surroundings. Nonetheless, Microsoft’s researchers found a technique to control these plugins to realize entry to cached information generated by Apple’s AI options.
If exploited, the vulnerability may have uncovered a variety of personal data, together with:
-
Exact location information
-
Picture and video metadata
-
Facial recognition information from the Pictures app
-
Search historical past
-
Summaries generated by AI instruments, resembling e mail content material
-
Consumer preferences and settings
Regardless of the intense implications, Microsoft confirmed that the vulnerability was not actively exploited. Following accountable disclosure practices, the corporate reported its findings to Apple, which shortly addressed the problem.
Apple launched a repair as a part of macOS 15.4 and iOS 18.4, each rolled out on March 31. In accordance with Apple’s safety documentation, the patch concerned bettering how the system handles sure sorts of information, serving to to make sure stricter management over plugin habits. Alongside the Highlight repair, Apple additionally resolved two extra vulnerabilities reported by Microsoft—one associated to symbolic hyperlink validation and one other involving system state administration.
This incident underscores the significance of cross-company collaboration in addressing rising safety threats, particularly as platforms proceed to combine AI and machine studying options. It additionally highlights the worth of normal system updates, as many vulnerabilities are addressed quietly behind the scenes.
For finish customers, no motion is required past guaranteeing that units are updated. The problem has been resolved, and Apple’s speedy response prevented the vulnerability from being weaponized in real-world assaults.
Filed in . Learn extra about Apple, Cybersecurity, macOS, Microsoft, Privacy and Security.
Trending Merchandise
Thermaltake V250 Motherboard Sync ARGB ATX Mid-Tower Chassis with 3 120mm 5V Addressable RGB Fan + 1 Black 120mm Rear Fan Pre-Installed CA-1Q5-00M1WN-00
Dell KM3322W Keyboard and Mouse
Sceptre Curved 24-inch Gaming Monitor 1080p R1500 98% sRGB HDMI x2 VGA Construct-in Audio system, VESA Wall Mount Machine Black (C248W-1920RN Sequence)
HP 27h Full HD Monitor – Diagonal – IPS Panel & 75Hz Refresh Rate – Smooth Screen – 3-Sided Micro-Edge Bezel – 100mm Height/Tilt Adjust – Built-in Dual Speakers – for Hybrid Workers,Black
Wi-fi Keyboard and Mouse Combo – Full-Sized Ergonomic Keyboard with Wrist Relaxation, Telephone Holder, Sleep Mode, Silent 2.4GHz Cordless Keyboard Mouse Combo for Laptop, Laptop computer, PC, Mac, Home windows -Trueque
