Saturday, July 24, 2021

Apple patches harmful safety holes, one in energetic use – replace now! – Bare Safety

We’ve seen several news stories talking up some great new features in Apple’s latest software update for iOS, which was released yesterday.

However, we’re much more interested in the security patches that arrived in the update to iOS 14.6, because Apple fixed 38 significant bugs, covered by 43 different CVE bug numbers.

For what it’s worth, the update to macOS Big Sur 11.4 shared many of those bugs with iOS, as well as adding a raft of its own, with 58 significant bugs patched, covered by 73 different CVE bug numbers.

Perhaps even more importantly, one of the Big Sur bugs that was patched, now dubbed CVE-2021-30713, is a security flaw that is already known to criminals and has already and quietly been exploited in the wild.

In fact, this exploit was only recently reported to Apple after lurking unnoticed in Mac malware known as XCCSET that dates back to last year.

Ironically, this bug exists in a system component called TCC, short for Transparency Consent and Control, a part of macOS that is supposed to make sure that apps don’t do things they aren’t supposed to.

According to security researchers at Mac management software company Jamf, this bug provides a sneaky way for a simple AppleScript utility with no special permissions at all to “leech off” the permissions of an an already-installed app.

Usually, malware that blindly ran an AppleScript utility to record your screen would cause a giveaway security warning to pop up asking you if you wanted to let the malware go ahead.

Unless and until you clicked through into the Security & Privacy page in System Preferences, and manually approved the malware by adding it to the list of apps allowed to record your screen, the cybercrooks would be out of luck.

Jamf researchers, however, realised that by judiciously inserting the malicious screenshotting AppleScript utility into the application directory of software that already had Screen Recording permissions…

…they could then launch their AppleScript under the assumed authority of the so-called “donor” app and take screenshots covertly without any warnings popping up.

The researchers used Zoom as the “donor” app in their research article, but noted that the average Mac user is likely to have numerous screenshot-ready programs already installed, such as Discord, WhatsApp, Slack, WeChat, TeamViewer and many others. This trick is not limited to Screen Recording permissions, either, so other installed apps could be “piggybacked” too. This means that an attacker could invisibly acquire unauthorised access to other permissions such as Location Services, Photos, Camera, Microphone, and files and folders that would otherwise be off-limits.