Microsoft spotlights Apple bug patched in March as SharePoint exploits continue

July 29, 2025 TH Author

Amidst its own failure to fix a couple of bugs now under mass exploitation and being abused for espionage, data theft, and ransomware infections, Microsoft said Monday that it spotted a macOS vulnerability some months ago that could allow attackers to steal private data. Redmond reported the bug to Cupertino, which issued a fix back in March.

The vulnerability, tracked as CVE-2025-31199, affects macOS Sequoia and has not yet been assigned a CVSS rating. Apple first disclosed the flaw in March, at the same time as releasing a fix.

In a Monday report, Microsoft Threat Intelligence said the now-fixed flaw could allow miscreants to extract and leak all sorts of sensitive information cached by Apple Intelligence, including precise geolocation data, photo and video metadata, face and person recognition data, search history, and user preferences.

This could have severe real-world consequences, such as physical stalking, harassment, and security threats, as an attacker might be able to identify the victim based on photos, geolocation, and places they frequent. They could even tell if someone was away from home from their precise location data.

Plus, since Apple devices linked to the same iCloud account automatically sync certain data, an attacker who compromises a user’s Mac could potentially access synced metadata and Apple Intelligence-tagged content originating from the user’s iPhone or iPad.

In its Monday bulletin, Microsoft dubbed the flaw “Sploitlight” because it abuses Spotlight plugins. Spotlight is Apple’s built-in search tool, and it uses plugins called Spotlight importers to index data found on a device.

“For example, Outlook can index emails for them to appear in search,” Microsoft Threat Intel wrote.

Sploitlight turns these plugins into a Transparency, Consent, and Control (TCC) bypass. TCC is a macOS security framework that prevents apps from accessing sensitive user data such as location services, camera, microphone, and downloads directory, without user permission.

This isn’t the first time that Apple’s TCC has been abused for unauthorized data access. Similar TCC bypass flaws such as HM-Surf and powerdir have abused other components of the security mechanism to access users’ private data. Apple did not return a request for comment about the flaw.

There’s no doubt that Sploitlight presents a serious security threat — and as such, macOS Sequoia users should be sure that they’ve applied the March update. But the timing of Microsoft’s blog gives us pause.

Last week, Redmond disclosed that its July software update failed to fully patch two security flaws that allowed miscreants to take over on-premises SharePoint servers and remotely execute code.

More than 400 organizations, including the US Energy Department, have been compromised via the SharePoint vulnerabilities, and those exploiting the bugs include Chinese government spies, data thieves, and ransomware operators.

So while the details of the Apple bug are noteworthy, the technical writeup does carry a strong whiff of “look over there.” Microsoft did not immediately reply to a request for comment on the timing of the disclosure. ®

Updated to add at 0155 GMT on July 29, 2025

Regarding the timing of the macOS bug write-up, a Microsoft spokesperson told The Register after publication, “We collaborated with Apple to focus on the completeness of the fix and followed a responsible disclosure process helping fully mitigate the issue.”