Security News

A zero-day vulnerability that allowed XCSSET malware to surreptitiously take screenshots of the victim's desktop has been fixed by Apple on macOS 11.4 on Monday. The XCSSET malware and its CVE-2021-30713 exploitation.

Apple on Monday announced that software updates for its desktop and mobile operating systems address tens of vulnerabilities, including a zero-day flaw in macOS Big Sur that has been exploited in attacks. Security researchers with Jamf, a firm that specializes in enterprise management software for Apple devices, say that the vulnerability has been actively exploited by the XCSSET malware, which infects Xcode projects to target Mac developers.

Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws. Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple's Transparency, Consent, and Control framework in macOS that maintains a database of each user's consents.

Apple has patched a hole in macOS that has been exploited by malware to secretly take screenshots on victims' Macs. Three flaws, including one spotted by Google's Project Zero, fixed in iOS 14.6 and iPadOS 14.6 can be exploited by a malicious app to run code with kernel-level privileges, allowing malicious software to completely take over the device.

Apple has released security updates to patch three macOS and tvOS zero-day vulnerabilities attackers exploited in the wild, with the former being abused by the XCSSET malware to bypass macOS privacy protections. In all three cases, Apple said that it is aware of reports that the security issues "May have been actively exploited," but it didn't provide details on the attacks or threat actors who may have exploited the zero-days.

Apple has released security updates to patch three macOS and tvOS zero-day vulnerabilities attackers exploited in the wild, with the former being abused by the XCSSET malware to bypass macOS privacy protections. In all three cases, Apple said that it is aware of reports that the security issues "May have been actively exploited," but it didn't provide details on the attacks or threat actors who may have exploited the zero-days.

Desktop OSes are more vulnerable than mobile OSes, purely because they're general purpose tools designed to run arbitrary code from arbitrary sources. Despite the growth of the sandboxed browser model, most obviously expressed in Chromebooks bringing mobile security sensibilities into the edge of the desktop, the basic utility of the general purpose OS cannot be sanitised into total safety.

Apple is using the growing threat of malware on its Mac platform as a defense in a lawsuit that could force the company to open up new channels of applications for its mobile iOS platform. In testimony in a California court Wednesday, Apple head of software engineering, Craig Federighi called the level of malware threat against the Mac platform one that the company finds "Unacceptable" and continue to defend against with restrictive application-distribution platforms, according to a published report on CNET. Federighi's comments were made as Apple executives begin testifying in a court case Epic Games-the maker of the hugely popular Fortnite-have brought against the tech giant for what Epic views as restrictive policies on the iOS App Store.

Good investigative reporting on how Apple is participating in and assisting with Chinese censorship and surveillance.

In July 2018, when Guizhou-Cloud Big Data agreed to a deal with state-owned telco China Telecom to move iCloud data belonging to Apple's China-based users to the latter's servers, the shift raised concerns that it could make user data vulnerable to state surveillance. Apple, in 2018, announced iCloud data of users in mainland China would move to a new data center in Guizhou province as part of a partnership with GCBD. The transition was necessitated to abide by a 2017 regulation that required all "Personal information and important data" collected on Chinese users "Be stored in the territory."