Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple’s Transparency Consent and Control (TCC) architecture, which manages app permissions.
According to Jamf’s blog, the issue was identified when the XCSSET spyware “used this bypass especially for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.” By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC.
Researchers identified this activity while analyzing XCSSET “after detecting a considerable spike of identified variations observed in the wild”. In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said.
At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS’ System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS).
According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.
Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.