Apple has released a patch to fix a zero-day vulnerability in macOS that is being actively exploited in the wild. The macOS vulnerability, tracked as CVE-2021-30663, affects macOS Big Sur devices and, according to Jamf researchers who discovered the vulnerability, has been exploited by XCSSET malware to bypass Apple’s Transparency Consent and Control (TCC) protections that protect users’ privacy.
Normally, the TCC protections will alert a user if an app attempts an action that could violate a user’s privacy, such as recording videos, logging keystrokes, or taking a screenshot. The user is then required to give their permission to allow that activity. The vulnerability allows TCC to be bypassed so no warning is generated, and a user does not need to give their explicit permission.
The researchers identified the zero-day vulnerability while conducting research into XCSSET malware. XCSSET malware was first discovered by researchers at Trend Micro in 2020, with a new variant of the malware identified in April 2021 that had been rejigged to also work on ARM Macs. The exploit used by the malware allows screenshots of the user’s desktop to be taken. The flaw could also be exploited to gain full disk access to steal files, record videos, or record audio from the microphone.
The Jamf researchers explained that XCSSET malware could inject an app within the Zoom videoconferencing platform unknown to the user that is capable of recording screenshots and videos of the Zoom meeting. This would be possible as Zoom already has permissions to conduct screen recordings so no prompt would be generated, and permission would not need to be granted. The flaw has been corrected in macOS Big Sur 11.4
This is not the only malware variant that has exploited a macOS vulnerability in recent weeks. A malware variant called Shlayer was recently discovered to be exploiting a zero-day vulnerability that allowed it to bypass the security checks of Gatekeeper and File Quarantine that normally prevent unapproved, malicious apps from running. The malware had been exploiting the vulnerability for several months.
Last week, in a testimony in lawsuit filed in California court by Epic Games, Apple’s senior vice president of software engineering, Craig Federighi, said Macs had a serious malware problem “that we don’t find acceptable”. Unlike on iPhones, Macs allow software to be installed that is not vetted by Apple, which has given threat actors an opportunity to install malware.
Earlier this month, Apple released out-of-band updates for iOS, macOS, and watchOS that included patches for zero-day vulnerabilities in its Webkit browser engine. These were a memory corruption issue – CVE-2021-30665 – that could potentially be exploited to allow arbitrary code execution on unpatched devices by convincing a user to visit a maliciously crafted web page; an integer overflow flaw – CVE-2021-30663 – that could lead to arbitrary code execution; and a buffer overflow issue tracked as CVE-2021-30666.