SecureMac, Inc.

macOS 11.4 fixes sneaky screenshot bug

May 25, 2021

macOS 11.4 fixes sneaky screenshot 0-day that was being actively exploited by XCSSET malware. Article contains details + update tips.

macOS 11.4 fixes sneaky screenshot bug

Apple has just released updates for all of its OSes. The updates contain a number of security patches, but one in particular is getting all of the attention: a fix for a macOS 0-day that allowed attackers to take secret screenshots of a user’s Mac. 

In this article, we’ll discuss that bug, and we’ll touch on a few other highlights from this latest round of updates.

0-day patch in macOS Big Sur 11.4 

The big security news in macOS 11.4 is that Apple patched a 0-day vulnerability that allowed attackers to take screenshots of a Mac without the user’s knowledge.

According to the security researchers at Jamf who discovered the bug, the vulnerability is being actively exploited by variants of the XCSSET malware family. Apple says that it is “aware of a report that this issue may have been actively exploited”. This is about as close as the company usually comes to a definitive confirmation.

The exploit for this vulnerability took advantage of a flaw in Apple’s Transparency Consent and Control (TCC) framework. Among other things, TCC requires an app to get the user’s explicit permission before it can perform sensitive actions (like taking screenshots or recording keystrokes). 

At least that’s how TCC is supposed to work. But as the Jamf researchers discovered, TCC was allowing malicious apps to “piggyback” off of the permissions that a user had already granted to other (legitimate) apps on their system. 

To explain how this was happening, the researchers offered the following example. Imagine that a user has already given a video conferencing app like Zoom permission to take screenshots. A malicious application could exploit the TCC bug by hiding itself in the application folder of the Zoom app, essentially tricking macOS into thinking that it was a sub-application of Zoom. In this way, the malware would inherit the permissions of its “parent” app (Zoom). This would allow it take system screenshots without having to ask the user for permission. 

More fixes for macOS 

The macOS 11.4 update also addressed other security issues, including:

  • A bug that could have let someone with physical access to a Mac bypass the login window
  • Flaws in the macOS image processing and 3D modeling frameworks that could have resulted in code execution or data leaks
  • Kernel vulnerabilities that could have led to code execution, privilege escalation, and denial of service attacks. 

Apple also released security updates for two older versions of macOS. The updates are Security Update 2021-003 Catalina and Security Update 2021-004 Mojave.

Needless to say, Big Sur users shouldn’t miss this update!

iOS, iPadOS, watchOS, and tvOS updates

In addition to the Mac updates, Apple released updated versions of its other operating systems as iOS 14.6, iPadOS 14.6, watch OS 7.5, and tvOS 14.6.

The iOS and iPadOS updates both address many of the same security vulnerabilities contained in the macOS updates. These bugs could lead to a number of undesirable outcomes, including:

  • Arbitrary code execution
  • System crashes
  • Privilege escalation
  • Disclosure of user information or restricted memory
  • Denial of service attacks
  • Malicious applications breaking out of the app sandbox
  • UXSS attacks

The watchOS and tvOS updates also contain important security patches. They address issues with image and audio processing frameworks, a number of kernel flaws, and some WebKit vulnerabilities as well.

If you haven’t set up automatic updates on your various Apple devices, then be sure to take a moment to update all of your OSes today!

Get the latest security news and deals