Apple has patched a hole in macOS that has been exploited by malware to secretly take screenshots on victims' Macs.
The security flaw can also be potentially abused to access files and record video and audio from the computer. The iGiant has also released iOS and iPadOS 14.6, which fixes 43 CVE-listed security flaws and adding a bunch of user-friendly UI tweaks.
Alert for iPhone and iPad users
Three flaws, including one spotted by Google's Project Zero, fixed in iOS 14.6 and iPadOS 14.6 can be exploited by a malicious app to run code with kernel-level privileges, allowing malicious software to completely take over the device. The UK's National Cyber Security Centre also passed on a denial-of-service issue that could be triggered with a maliciously crafted message.
Also on the trouble list is WebKit which, given the security update earlier this month, appears to be under serious scrutiny. Bug hunters found seven CVE flaws in the browser engine, including two that would allow arbitrary code execution – meaning they can be exploited by malicious webpages to compromise iPhones and iPads – and a couple of nasty universal cross site scripting issues.
It looks like security shop Trend Micro has been doing a deep dive into Apple's Metal I/O graphics system as well. Trend's flaw finders reported 10 CVE issues, three of which can be exploited to achieve code execution, and a handful of memory corruption issues.
A code execution hole in the Image I/O programming interface is also fixed, and user information and memory leakage issues are addressed. Apple has also updated its ASN.1 decoder so that specially crafted security certificates cannot execute code on iPhones and iPads when parsed.
Apple doesn't report that any of these bugs are being exploited in the wild as yet, though we know how quick malware developers are at turning patches into exploits. As such, it's advisable to apply updates as soon as possible.
Don't forget the Macs
Many of flaws found and addressed in iOS and iPadOS cropped up and are fixed in macOS as well, particularly in the kernel, WebKit and Model I/O, though there are some holes unique to the desktop OS.
- Microsoft emits more fixes for Exchange Server plus patches for remote-code exec holes in HTTP stack, Visual Studio
- Qualcomm Snapdragon 855 modem code flaw exposed Android smartphones to possible snooping
- Chrome on Windows turns on Intel, AMD chip-level defenses against malicious websites
- 'Millions' of Dell PCs will grant malware, rogue users admin-level access if asked nicely
On the priority list is, ironically, a security bypass issue with Apple's Transparency Consent and Control (TCC) mechanism that is being exploited in the wild. CVE-2021-30713, spotted by Apple specialists Jamf, can be abused by a malicious application to surreptitiously take screenshots of Macs.
We're told this has been used by the XCSSET malware app to snoop on folks' desktops. What's more, the bug can be potentially exploited to access files on the machine, and record from the camera and microphone, too.
Here's how Jamf described TCC and the vulnerability:
This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior.
"We discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild," added Jamf intrusion analyst Jaron Bradley.
"The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions."
The Intel Graphics Driver comes in for a trio of security bug fixes, two of which allow arbitrary code execution with kernel privileges, and the other potentially causing a denial of service. That flaw has been fixed by removing dodgy code, and the most serious issues are now sorted out thanks to improved bounds checking.
There's also a major hole in Apple's Core Services modules, again allowing code execution if exploited. The issue stems from poor validation of symlinks, and this has been addressed in the new release.
OpenLDAP bagged ten CVEs, thankfully all basic denial of service issues, so annoying but not massively serious. Smbx also has a code execution fix and a handful of information leakage issues remedied. ®