Apple patches macOS flaw exploited by malware to secretly snap screenshots

Bug can also be abused to record audio and video, access files – and iOS, iPadOS updated, too


Apple has patched a hole in macOS that has been exploited by malware to secretly take screenshots on victims' Macs.

The security flaw can also be potentially abused to access files and record video and audio from the computer. The iGiant has also released iOS and iPadOS 14.6, which fixes 43 CVE-listed security flaws and adding a bunch of user-friendly UI tweaks.

Alert for iPhone and iPad users

Three flaws, including one spotted by Google's Project Zero, fixed in iOS 14.6 and iPadOS 14.6 can be exploited by a malicious app to run code with kernel-level privileges, allowing malicious software to completely take over the device. The UK's National Cyber Security Centre also passed on a denial-of-service issue that could be triggered with a maliciously crafted message.

Also on the trouble list is WebKit which, given the security update earlier this month, appears to be under serious scrutiny. Bug hunters found seven CVE flaws in the browser engine, including two that would allow arbitrary code execution – meaning they can be exploited by malicious webpages to compromise iPhones and iPads – and a couple of nasty universal cross site scripting issues.

It looks like security shop Trend Micro has been doing a deep dive into Apple's Metal I/O graphics system as well. Trend's flaw finders reported 10 CVE issues, three of which can be exploited to achieve code execution, and a handful of memory corruption issues.

A code execution hole in the Image I/O programming interface is also fixed, and user information and memory leakage issues are addressed. Apple has also updated its ASN.1 decoder so that specially crafted security certificates cannot execute code on iPhones and iPads when parsed.

Apple doesn't report that any of these bugs are being exploited in the wild as yet, though we know how quick malware developers are at turning patches into exploits. As such, it's advisable to apply updates as soon as possible.

Don't forget the Macs

Meanwhile, macOS Big Sur 11.4, also out on Monday, includes fixes for 74 CVE-listed flaws. How apt since Apple just threw its desktop operating system under the bus to save its iOS App Store.

Many of flaws found and addressed in iOS and iPadOS cropped up and are fixed in macOS as well, particularly in the kernel, WebKit and Model I/O, though there are some holes unique to the desktop OS.

On the priority list is, ironically, a security bypass issue with Apple's Transparency Consent and Control (TCC) mechanism that is being exploited in the wild. CVE-2021-30713, spotted by Apple specialists Jamf, can be abused by a malicious application to surreptitiously take screenshots of Macs.

We're told this has been used by the XCSSET malware app to snoop on folks' desktops. What's more, the bug can be potentially exploited to access files on the machine, and record from the camera and microphone, too.

Here's how Jamf described TCC and the vulnerability:

This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior.

"We discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild," added Jamf intrusion analyst Jaron Bradley.

"The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions."

The Intel Graphics Driver comes in for a trio of security bug fixes, two of which allow arbitrary code execution with kernel privileges, and the other potentially causing a denial of service. That flaw has been fixed by removing dodgy code, and the most serious issues are now sorted out thanks to improved bounds checking.

There's also a major hole in Apple's Core Services modules, again allowing code execution if exploited. The issue stems from poor validation of symlinks, and this has been addressed in the new release.

OpenLDAP bagged ten CVEs, thankfully all basic denial of service issues, so annoying but not massively serious. Smbx also has a code execution fix and a handful of information leakage issues remedied. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022