Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,690
16,872


macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.

jamf-malware-secret-screenshots.jpg

Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access, Screen Recording, and other permissions without a user's consent.

The bypass was actively exploited in the wild, and was discovered by Jamf when analyzing XCSSET malware. The XCSSET malware has been out in the wild since 2020, but Jamf noticed an uptick in recent activity and discovered a new variant.

Once installed on a victim's system, the malware was used specifically for taking screenshots of the user's desktop with no additional permissions required. Jamf said that it could be used to bypass other permissions as well, as long as the donor application the malware piggybacked off of had that permission enabled.

Jamf has a full rundown on how the exploit worked, and the company says that Apple addressed the vulnerability in macOS Big Sur 11.4, Apple confirmed to TechCrunch that a fix has indeed been enabled in macOS 11.4, so Mac users should update their software as soon as possible.

Article Link: macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots
 
  • Like
Reactions: RandomDSdevel

Kung gu

macrumors 65816
Oct 20, 2018
1,376
2,393
11.4 also fixes excessive ssd writes.

PSA: The SSD disk write issues have been fixed in 11.4 which came out today. The person who found the issue in first place says it was a result of a kernel bug and he also says 11.4 addresses the issue.
Update to 11.4 if your on M1 macs.
Users on this thread also report lower disk writes on 11.4.


 

Guyferd

macrumors newbie
Mar 23, 2016
4
13
Virginia
So how was it installed? The usual pirated software? Tricking users into downloading it as a fake utility or game?
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
 

Apple_Robert

macrumors Penryn
Sep 21, 2012
28,983
37,000
In the middle of several books.
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
Unfortunately, a lot of people click accept without really thinking about what they are giving system access to and for what reason.
 

now i see it

macrumors 604
Jan 2, 2002
7,649
15,347
Uhhhh, minor detail missing:

"XCSSET isn’t likely to infect Macs unless it has run a malicious Xcode project. That means people are unlikely to be infected unless they are developers who have used one of the projects. The Jamf post provides indicators of a compromise list that people can use to determine if they’ve been infected."
 

Your Royal Highness

macrumors member
Jun 27, 2020
34
380
If Apple really champions security and anonymity on the web, then these are things that users need to know in advance. No one wants to hear about it from a third-party. Apple has earned my trust and I get closing these flaws quietly but, in the interim, such aggressiveness can be communicated to users with a warning (maybe a color-coded scale per app) and a timeline of when a fix should be expected.
 

Wackery

macrumors 65816
Feb 1, 2015
1,135
1,171
11.4 also fixes excessive ssd writes.

PSA: The SSD disk write issues have been fixed in 11.4 which came out today. The person who found the issue in first place says it was a result of a kernel bug and he also says 11.4 addresses the issue.
Update to 11.4 if your on M1 macs.
Users on this thread also report lower disk writes on 11.4.


This is the real epic gamer moment with this update
 

9927036

Cancelled
Nov 12, 2020
472
458
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
I guess there must be lots of people with less than 2 brain cells because according to JAMF it was actively exploited.
 

Mr. Dee

macrumors 68040
Dec 4, 2003
3,305
5,360
Jamaica
When Craig recently threw macOS under the bus for its poor security in comparison to iOS, that was a strategic decision. He wasn't speaking to your average user, this was a wake up call to developers that the underlying future of macOS is iOS from an architectural standpoint.

The thing is, the app maturity is just not there yet even with the ecosystems growth and success. But, give it 5 more years and I believe macOS will be based on iOS. Don't be alarmed or expect it to be a dramatic change, it will still be a windowing system, still look like Big Sur today, yes, a little more iOS like. But, we can see Apple building towards this for years now, the move to APFS which all the operating systems share, mouse/trackpad support in iPad OS, ability to run iOS apps on macOS, iPad Pro's on M1 chips.

Apple is slowly but surely chipping away at this. When WWDC 2025 is here, Apple will share the big news that iOS is an extremely secure and mature platform, with the worlds largest app ecosystem. So, it would only make sense that we bring all these benefits to the Mac and we have been doing that for nearly 10 years now.

What about the big apps: Office, Adobe Creative Suite and even Apples own big apps like Final Cut Pro and Logic and even development tools like Swift?

1. They will likely just continue to run the same as they do today.
2. Containers will run them separately in a sort of protected partition space that's partitioned off from the rest of the system for compatibility along with the few remaining desktop apps. Basically, this will be a sort of virtual machine for these apps. There won't be any impact on performance at all.

But, I think this will be a temporary stop gap, partly because of the dramatically different landscape by 2025. The vast majority of desktop apps will be iOS based; will be significantly mature enough to meet or exceed the needs of old classic desktop macOS apps. Heck, I wouldn't be surprised if even desktop version Office by 2025 will be based on the iOS version. But, Excel is a complex app like Photoshop, so it will still need be based on the old code. Also, keep in mind, big apps might even become streamed apps that you access in a web browser.
 

williamyx

macrumors member
Jul 6, 2020
39
57
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
iirc the xcode projects are real but the code is hidden inside as a poison pill and it spreads across the user's other projects, sorta like an IRL virus
 

mxrider88

macrumors 6502
Mar 8, 2019
351
264
Sydney, AU
The most advanced operating system in the world.
Mojave let you press enter and login without password, now this. Wow.
I’ve to admit the emojis are sick though!!
 
  • Like
Reactions: 9927036

bollman

macrumors 6502
Sep 25, 2001
457
852
Lund, Sweden
If Apple really champions security and anonymity on the web, then these are things that users need to know in advance. No one wants to hear about it from a third-party. Apple has earned my trust and I get closing these flaws quietly but, in the interim, such aggressiveness can be communicated to users with a warning (maybe a color-coded scale per app) and a timeline of when a fix should be expected.
You want Apple to provide a timeline for their software?
You have more luck finding Jimmy Hoffa, I'd say.
 
  • Like
Reactions: BeefCake 15
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.