macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots - MacRumors
Skip to Content

macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

by

macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.

jamf malware secret screenshots
Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access, Screen Recording, and other permissions without a user's consent.

The bypass was actively exploited in the wild, and was discovered by Jamf when analyzing XCSSET malware. The XCSSET malware has been out in the wild since 2020, but Jamf noticed an uptick in recent activity and discovered a new variant.

Once installed on a victim's system, the malware was used specifically for taking screenshots of the user's desktop with no additional permissions required. Jamf said that it could be used to bypass other permissions as well, as long as the donor application the malware piggybacked off of had that permission enabled.

Jamf has a full rundown on how the exploit worked, and the company says that Apple addressed the vulnerability in macOS Big Sur 11.4, Apple confirmed to TechCrunch that a fix has indeed been enabled in macOS 11.4, so Mac users should update their software as soon as possible.

Related Forum: macOS Big Sur

Popular Stories

imac video apple feature

Apple Released Yet Another New Product Today

Friday March 20, 2026 2:39 pm PDT by
Apple has unveiled a whopping nine new products so far this March, including an iPhone 17e, iPad Air models with the M4 chip, MacBook Air models with the M5 chip, MacBook Pro models with M5 Pro and M5 Max chips, the all-new MacBook Neo, an updated Studio Display, a higher-end Studio Display XDR, AirPods Max 2, and now the Nike Powerbeats Pro 2. iPhone 17e features the same overall design as...
Read Full Article
iOS 26

iOS 26.4 Adds Two New Features to CarPlay

Tuesday March 24, 2026 1:55 pm PDT by
iOS 26.4 was released today, and it includes a couple of new features for CarPlay: an Ambient Music widget and support for voice-based chatbot apps. To update your iPhone 11 or newer to iOS 26.4, open the Settings app and tap on General → Software Update. CarPlay will automatically offer the new features so long as the iPhone connected to your vehicle is running iOS 26.4 or later....
Read Full Article24 comments
HomePod mini and Apple TV Sage

New Apple TV and HomePod Mini Remain 'Ready' to Launch

Sunday March 22, 2026 6:33 am PDT by
Apple has unveiled nine new products this month, but the wait continues for the next-generation Apple TV 4K and HomePod mini models. In his Power On newsletter today, Bloomberg's Mark Gurman said new versions of the Apple TV and HomePod mini have been "ready" since last year, but he reiterated that Apple has held off on releasing them until the more personalized version of Siri and other...
Read Full Article136 comments

Top Rated Comments

K
Kung gu
63 months ago
11.4 also fixes excessive ssd writes.

PSA: The SSD disk write issues have been fixed in 11.4 which came out today. The person who found the issue in first place says it was a result of a kernel bug and he also says 11.4 addresses the issue.
Update to 11.4 if your on M1 macs.
Users on this thread also report lower disk writes on 11.4.



View post on X
Score: 17 Votes (Like | Disagree)
Apple_Robert Avatar
Apple_Robert
63 months ago

OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
Unfortunately, a lot of people click accept without really thinking about what they are giving system access to and for what reason.
Score: 11 Votes (Like | Disagree)
D
deevey
63 months ago

Unfortunately, a lot of people click accept without really thinking about what they are giving system access to and for what reason.
And that folks, is why iOS should remain locked down tight :)
Score: 10 Votes (Like | Disagree)
Guyferd Avatar
Guyferd
63 months ago

So how was it installed? The usual pirated software? Tricking users into downloading it as a fake utility or game?
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
Score: 8 Votes (Like | Disagree)
R
Rigby
63 months ago

I assume this will be backported?
According to the post by JAMF it only affects MacOS 11. The security updates for Mojave ('https://support.apple.com/en-us/HT212531') and Catalina ('https://support.apple.com/en-us/HT212530') that also came out today do not list it.
Score: 8 Votes (Like | Disagree)
TheYayAreaLiving 🎗️ Avatar
TheYayAreaLiving 🎗️
63 months ago
Thank you for the heads up. Hide your identity and yourself people!!!



Attachment Image
Score: 7 Votes (Like | Disagree)
Read All Comments