Pixel Envy

Written by Nick Heer.

Vulnerability Patched in MacOS 11.4 Allowed Bypass of Consent and Control Permissions

Apple describing one of the security patches in MacOS Big Sur 11.4:

TCC

Available for: macOS Big Sur

Impact: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.

Description: A permissions issue was addressed with improved validation.

CVE-2021-30713: an anonymous researcher

Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki of Jamf, the organization that reported this vulnerability:

For example, if the virtual meeting application zoom.us.app is found on the system, the malware will place itself like so:

/Applications/zoom.us.app/Contents/MacOS/avatarde.app

If the victim computer is running macOS 11 or greater, it will then sign the avatarde application with an ad-hoc signature, or one that is signed by the computer itself.

Once all files are in place, the custom application will piggyback off of the parent application, which in the example above is Zoom. This means that the malicious application can take screenshots or record the screen without needing explicit consent from the user. It inherits those TCC permissions outright from the Zoom parent app. This represents a considerable privacy concern for end-users.

During Jamf’s testing, it was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app.

A clever violation of inherited permissions. As this is an actively-exploited vulnerability, you should probably update as soon as you can. I do not see the same CVE in today’s Catalina or Mojave updates, so it appears this is entirely a Big Sur problem.