Big Sur 11.4 was updated this week to fix a zero-day vulnerability that allowed users to capture screenshots, capture video, and access files on another Mac without being noticed. The flaw lets users go around Apple's Transparency Consent and Control (TCC) architecture, which manages app permissions.
According to Jamf's blog, the issue was identified when the XCSSET spyware "used this bypass especially for the purpose of taking screenshots of the user's desktop without requiring additional permissions." By effectively hijacking permissions granted to other programmes, the malware was able to get around the TCC.
Researchers identified this activity while analyzing XCSSET "after detecting a considerable spike of identified variations observed in the wild". In its inclusion in the CVE database, Apple has yet to offer specific details regarding the issue. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent–which is the default behaviour,” researchers said.
Last August, Trend Micro researchers identified the XCSSET malware after they detected fraudsters introducing malware into Xcode developer projects, causing infestations to spread. They recognized the virus as part of a package known as XCSSET, which can hijack the Safari web browser and inject JavaScript payloads that can steal passwords, bank data, and personal information, as well as execute ransomware and other dangerous functionalities.
At the time, Trend Micro researchers discovered that XCSSET was exploiting two zero-day flaws: one in Data Vault, which allowed it to bypass macOS' System Integrity Protection (SIP) feature, and another in Safari for WebKit Development, which permitted universal cross-site scripting (UXSS).
According to Jamf, a third zero-day issue can now be added to the list of flaws that XCSSET can attack. Jamf detailed how the malware exploits the issue to circumvent the TCC.
Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”