macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections
Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document.
"All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric Owens, who discovered the vulnerability in mid-March, according to the report. Owens developed a proof-of-concept app masquerading as a harmless document that exploits the bug to launch the Calculator app, but he said the vulnerability could be exploited for more nefarious purposes.
According to security researcher Patrick Wardle, the vulnerability was the result of a logic bug in macOS's underlying code.
"In simple terms, macOS apps aren't a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located," explains TechCrunch. "But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle — and running the code inside — without triggering any warnings."
In addition to fixing the bug in macOS 11.3, Apple told TechCrunch it patched earlier macOS versions to prevent abuse, and updated macOS's built-in anti-malware system XProtect to block malware from exploiting the vulnerability. The report says the bug was exploited for months, but it's unclear how many users were impacted.
Related Stories
Apple's recently released macOS Big Sur 11.4 update addresses a serious security vulnerability, so all users should complete the software update immediately.
Jamf, a mobile device management company, raised a major security issue in macOS Big Sur that allowed attackers to piggyback apps like Zoom to surreptitiously take screenshots and record the screen. The exploit allowed a user's Privacy...
Each year, the Zero Day Initiative hosts a "Pwn2Own" hacking contest where security researchers can earn money for finding serious vulnerabilities in major platforms like Windows and macOS.
This 2021 Pwn2Own virtual event kicked off earlier this week and featured 23 separate hacking attempts across 10 different products including web browsers, virtualization, servers, and more. A three-day...
Mozilla today announced the public release of Firefox 89 for macOS with a redesigned and modernized core browsing experience.
The latest version of the browser features a simplified toolbar with less frequently used items removed, allowing the focus to be on the most important navigation items. Menus and prompts have also been streamlined across Firefox to have cleaner designs and clearer...
Apple today released macOS Big Sur 11.4, the fourth major update to the macOS Big Sur operating system that launched in November 2020. macOS Big Sur comes one month after the release of macOS Big Sur 11.3, an update that added M1 optimizations, AirTag integration, and more.
The new macOS Big Sur 11.4 update can be downloaded for free on all eligible Macs using the...
The macOS Big Sur 11.2.1 update that Apple released today fixes a sudo security vulnerability that could allow an attacker to gain root access to a Mac.
According to an Apple security support document, the bug, CVE-2021-3156, was addressed in the update by updating to sudo version 1.9.5p2. Apple has also fixed the bug in Supplemental Updates made available for macOS Catalina 10.15.7 and...
For this week's giveaway, we've teamed up with Softorino to offer MacRumors readers a chance to win a fully upgraded iPad Air and a copy of WALTR PRO to go along with it.
WALTR PRO is the third iteration of the popular WALTR app that's designed to make it easy to get any file from your computer onto an iPhone, iPad, or iPod touch. It's fantastic for transferring photos, videos, music, and...
A sudo bug that can grant an attacker root access has been discovered to affect macOS Big Sur (via ZDNet).
The security vulnerability, identified last week as "CVE-2021-3156" by the Qualys Security Team, affects sudo, which is a program that allows users to run commands with the security privileges of another user, such as an administrator. The bug triggers a "heap overflow" in sudo that...
Apple today released iOS 14.4 and iPadOS 14.4, and along with a handful of minor new features, the software introduces security fixes for three vulnerabilities that may have been used in the wild.
According to a security support document shared by Apple, there were kernel and WebKit vulnerabilities affecting all iPhones and iPads running iOS or iPadOS 14. The kernel vulnerability could allow ...
macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.
Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access,...
After today's keynote event that saw the introduction of macOS Monterey, the latest version of the Mac operating system, Apple has seeded the first beta of macOS Monterey to developers for testing purposes. Registered developers can download the beta through the Apple Developer Center and once the appropriate profile is installed, betas will be available through the Software Update...
Top Rated Comments
There‘s a good write up of the disastrous security flaw here ('https://objective-see.com/blog/blog_0x64.html').
There are still murders, robberies, other criminal acts. Does that mean the police does nothing?