Apple fixes macOS zero‑day bug that let malware take secret screenshots
You would do well to update to macOS Big Sur 11.4 post-haste
Apple has rolled out updates to address a bevy of security flaws, including three zero-day vulnerabilities that are being actively exploited in the wild. Two of the loopholes affect tvOS used for the Apple TV 4k and Apple TV HD offerings, whereas the third one resides in the macOS Big Sur operating system that powers Apple’s line of laptops and desktop devices.
“Apple is aware of a report that this issue may have been actively exploited,” reads the tech giant’s security bulletin describing the flaws in macOS Big Sur and tvOS, respectively.
Tracked as CVE-2021-30713, the zero-day in macOS Big Sur could allow an attacker to bypass Apple’s Transparency Consent and Control Framework that prompts users for permission whenever an action or permission request by an app has a direct impact on their privacy.
“This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior,” said the Jamf detection team, which discovered the bypass while digging into XCSSET malware.
Per Jamf, once the malware makes its way into the device it piggybacks off legitimate applications that already have the permissions to take screenshots or record the screen (think Zoom) without needing consent from the user. “The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” said Jamf.
Perhaps it’s worth mentioning that back in 2019, ESET researchers documented campaigns that targeted Windows users in France and delivered a malicious payload called Varenyky. In addition to sending spam or stealing passwords, Varenyky could record victims’ screens while they were watching sexual content online.
Meanwhile, the two vulnerabilities affecting the Apple TV line of products are indexed as CVE-2021-30663 and CVE-2021-30665 and reside in the WebKit component, Apple’s open-source web browser engine used by the Safari browser, Mail, and various other Apple native apps. While the former is an integer overflow bug, the latter is a memory corruption flaw, and both could be exploited by a threat actor using maliciously crafted web content and potentially lead to arbitrary code execution. The security holes have been plugged with the release of tvOS 14.6.
Beyond the three zero-days, Apple also issued security fixes for macOS Catalina and Mojave, iOS, iPadOS, the Safari browser and watchOS.
You would be well advised to apply all updates post-haste. Your devices should update automatically if you’ve enabled the option. Otherwise you can do so manually by going through the Settings menu. To find out more, you can refer to Apple’s security updates page.
In April, Apple quashed a severe macOS zero-day vulnerability that could allow malware to circumvent the operating system’s built-in protection mechanisms.