Hackers used macOS 0-days to bypass privacy features, take screenshots

Apple has also issued patches for macOS Catalina, iOS, Mojave, watchOS, iPad, and the Safari browser security loopholes.
Hackers used macOS 0-days to bypass privacy features, take screenshots




Apple Inc. has rolled out updates to address three zero-day vulnerabilities, apart from other security flaws, which were being exploited in the wild quite actively by threat actors. Two of these flaws affected tvOS for the Apple TV 4k and Apple TV HD, while the third one was identified in the macOS Big Sur OS that powers its laptops and desktop devices.  

The decision comes after Apple acknowledged that these flaws are being “actively exploited,” Apple noted in its security bulletin. The flaw was discovered by the Jamf detection team while exploring XCSSET malware.

Apple has also issued patches for macOS Catalina, iOS, Mojave, watchOS, iPad, and the Safari browser security loopholes.

0-Day flaws allowed attackers to bypass Apple’s privacy features

The macOS Big Sur zero-day was tracked as CVE-2021-30713, and it could let an attacker bypass Apple’s critical security features, including Transparency Consent and Control Framework. These features prompt the user for permission whenever an app’s actions impact their privacy directly, such as granting a “video collaboration software access to webcam and microphone,” noted the Jamf detection team.

“In order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior,” the team explained.




The other two vulnerabilities affecting the iPhone maker’s TV line of products were tracked as CVE-2021-30663 and CVE-2021-30665. These were found in Apple’s WebKit component. It is an open-source web browser engine that many Apple native applications, including the Safari browser and mail, use.

The first one is an integer overflow bug, and the second one is a memory corruption flaw. An attacker could exploit these bugs using malicious web content and allow them to execute arbitrary code.

How does it work?

According to Jamf researchers Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner, the malware controls legit applications that can capture screen records or screenshots without requiring user consent as soon as it infects the device.

RELATED: ElectroRat crypto-stealing malware hits MacOS, Windows, Linux

Additionally, researchers also noted that XCSSET used this bypass precisely to capture desktop screenshots of the victim’s device after it is installed on the system without needing additional permissions.




Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts