Security researchers at Jamf discovered the XCSSET malware exploiting the vulnerability, patched in Big Sur 11.4, to take photos of people’s computer screens without their knowing.
Apple has patched a critical bug in macOS that could be exploited to take screenshots of someone’s computer & capture images of their activity within applications or on video conferences without that person knowing.
Apple addressed the vulnerability—discovered by researchers at enterprise cyber-security firm Jamf— in the latest version of macOS, Big Sur 11.4, released on Mon., the company told Forbes, according to a published report.
Researchers said they discovered that the XCSSET spyware was using the vulnerability, tracked as CVE-2021-30713, “specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” according to a post on the Jamf blog.
“This activity was discovered during analysis of XCSSET that they made “after noting a significant uptick of detected variants observed in the wild,” researchers outlined. Apple as yet has not given specific details about the vulnerability in its entry in the CVE database.
Webcam and Microphone
The flaw works by bypassing the Transparency Consent & Control (TCC) framework, which controls what resources applications have access to, “such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings,” according to the Jamf post.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers observed.
History of a Spyware
At that time Trend Micro researchers noticed XCSSET using 2 zero-day flaws to infiltrate—one in Data Vault that allowed it to bypass macOS’ System Integrity Protection (SIP) feature; & 1 in Safari for WebKit Development that allowed universal cross-site scripting (UXSS).
Now it appears a 3rd zero-day flaw can be added to the list of those XCSSET can exploit, according to Jamf, which described in detail how the spyware takes advantage of the bug to bypass the TCC.
Upon looking into the spyware, the Jamf Protect detection team members noticed an AppleScript module titled “screen_sim.applescript” with a check called “verifyCapturePermissions” being used to search for an app with permissions to capture a screenshot from a list of installed apps. The list was derived from an earlier check of the following software appID’s, referred to by the malware as “donorApps.”
“As expected, the list of application IDs that are targeted are all applications that users regularly grant the screen-sharing permission to as part of its normal operation,” researchers wrote. “The malware then uses the following mdfind command–the command-line-based version of Spotlight–to check if the appID’s are installed on the victim’s device.”
If any of those IDs are found on the system, the command returns the path to the installed application &, with this information, XCSSET crafts a custom AppleScript application & injects it into the installed, donor application.
For example, if the virtual meeting app Zoom (zoom.us.app) is found on the system, the malware will place itself like this: /Applications/zoom.us.app/Contents/MacOS/avatarde.app. If the victim machine is running macOS11 or greater, it will then sign the avatarde application with an ad-hoc signature, or 1 that is signed by the computer itself, researchers commented.
XCSSET can then take screenshots or record the screen when the victim is using Zoom without needing explicit consent from the user, inheriting those TCC permissions outright from the Zoom parent app. Researchers found that XCSSET also can use the flaw to hijack other permissions beyond screensharing as well.
MacOS Threats on the Rise
Apple’s latest security woe comes on the heels of an Apple exec publicly lamenting the level of malware against the Mac platform, calling it “unacceptable” in testimony in a California court last Wed. for a lawsuit (PDF) brought against the company by Epic Games, maker of Fortnite.
Apple head of software engineering Craig Federighi used the threat level as an excuse for Apple’s tight restrictions on the software that is allowed to run on its platform & sell within its iOS App Store.
Indeed, 2021 has been a less-than stellar year so far for Apple security. Earlier this month, Apple released a quartet of unscheduled updates for iOS, macOS, & watchOS, to slap security patches on flaws in its WebKit browser engine.
A week before that, Apple patched a zero-day vulnerability in its MacOS that can bypass critical anti-malware capabilities & which a variant of the notorious Mac threat Shlayer adware dropper already had been exploiting for several months.
The company kicked off the year by removing a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs & 3rd-party firewalls. They quickly followed that up with an emergency update to patch 3 zero-day vulnerabilities discovered in iOS after a major software update in Nov. of last year already fixed 3 that were being actively exploited.