Apple fixes macOS zero-day exploited by malware (CVE-2021-30713)

A zero-day vulnerability (CVE-2021-30713) that allowed XCSSET malware to surreptitiously take screenshots of the victim’s desktop has been fixed by Apple on macOS 11.4 (Big Sur) on Monday.

The XCSSET malware and its CVE-2021-30713 exploitation

Discovered in August 2021 by Trend Micro researchers, XCSSET is effectively trojan spyware that can grab user data from Safari and other installed browsers, read Safari cookies, inject JavaScript backdoors onto websites, grab information from a variety of apps (Evernote, Telegram, WeChat, etc.), capture screenshots of the user’s screen, and more.

The malware is written in AppleScript – a scripting language developed by Apple – that facilitates control over script-enabled Mac applications.

It was previously discovered that XCSSET used a zero-day exploit to steal Safari browser cookies and another one to seamlessly install a developer version of the Safari application (which is used to inject JavaScript backdoors onto websites). Jamf researchers now found that it exploits a third zero-day to bypass Apple’s Transparency Consent and Control (TCC) protections.

“[The TCC framework] is the system that controls what resources applications have access to,” the researchers explained. “From the user’s perspective, TCC is the prompt they receive when a program attempts to perform an action that Apple believes should require explicit permission from the user before allowing the action to occur.”

Users see that prompt when, for example, an app wants to access the computer’s microphone or camera, record the screen, save files to the Documents directory, etc.

XCSSET bypasses the TCC protections by using an AppleScript module to search for an application that has permissions to capture a screenshot and compiling it into a custom AppleScript application (“avatarde.app”) that is injected into that “donor” application.

By doing this, the malware effectively gains the permission to make screenshots without having to ask the user for it. Even worse – the vulnerability can be used to gain multiple other permissions that have already been provided to the donor application.

Update your Mac (and other iDevices)

CVE-2021-30713 has been patched in macOS Big Sur 11.4, which was released on Monday. The updated OS also brings many other security fixes.

At the same time, Apple has also released security updates for macOS Catalina and Mojave, Safari 14.1.1, iOS 14.6 and iPadOS 14.6, tvOS 14.6 and watchOS 7.5. Details about the security content of these updates can be found here.

Users are advised to implement the updates as soon as possible.