Apple has Fixed an Actively Attacked Zero-day Vulnerability in MacOS


Apple has fixed an actively attacked zero-day vulnerability in macOS that allowed malware to gain additional permissions without user interaction, such as access to the microphone, webcam, full disk access, or the ability to take screenshots.


Last year, antivirus company Trend Micro reported that it had discovered malware that spreads through Xcode projects and tries to steal passwords, cookies, and other data from developers on macOS, as well as open a backdoor on systems. Xcode is a development environment for macOS that allows developers to develop Apple-related software.


The malware, called XCSSET, can also steal information from Evernote, Notes, Skype, Telegram, QQ and WeChat. The malware also takes screenshots of the screen and uses a vulnerability in Safari to steal cookies. In addition, the malware installs the development version of Safari to add JavaScript backdoors to websites. This JavaScript code can modify bitcoin addresses, steal Apple, Google, PayPal, and Yandex credentials, as well as credit card information from the Apple Store.


According to security firm Jamf , the XCSSET malware used two zero-day leaks to steal Safari cookies and install the development version of the browser. During an investigation into the malware, it appeared that a third zero-day leak was also being exploited. The malware bypassed Apple's Transparency Consent and Control (TCC) framework through this vulnerability.


The TCC framework controls which things applications can access, such as files and folders, webcam, microphone, bluetooth, speech recognition and other components. Normally, an application only gets access to this after the user has given permission. The malware used the vulnerability, designated CVE-2021-30713, to search for the IDs of applications that had previously been granted permissions from users.


The malware then creates a custom AppleScript application and places it in the appropriate application. The malware can then use the permissions provided to the legitimate app. Apple has now fixed the problem in macOS Big Sur 11.4 .

Previous Post Next Post