macOS Big Sur 11.4 Addresses Vulnerability That Could Let Attackers Take Secret Screenshots

macOS Big Sur 11.4, which was released this morning, addresses a zero-day vulnerability that could allow attackers to piggyback off of apps like Zoom, taking secret screenshots and surrepetiously recording the screen.

jamf malware secret screenshots
Jamf, a mobile device management company, today highlighted a security issue that allowed Privacy preferences to be bypassed, providing an attacker with Full Disk Access, Screen Recording, and other permissions without a user's consent.

The bypass was actively exploited in the wild, and was discovered by Jamf when analyzing XCSSET malware. The XCSSET malware has been out in the wild since 2020, but Jamf noticed an uptick in recent activity and discovered a new variant.

Once installed on a victim's system, the malware was used specifically for taking screenshots of the user's desktop with no additional permissions required. Jamf said that it could be used to bypass other permissions as well, as long as the donor application the malware piggybacked off of had that permission enabled.

Jamf has a full rundown on how the exploit worked, and the company says that Apple addressed the vulnerability in macOS Big Sur 11.4, Apple confirmed to TechCrunch that a fix has indeed been enabled in macOS 11.4, so Mac users should update their software as soon as possible.

Related Forum: macOS Big Sur

Popular Stories

2007 iPhone

Apple Discontinuing This 18-Year-Old iPhone Feature

Saturday February 8, 2025 3:51 pm PST by
The end of an 18-year era is on the horizon for the iPhone. Apple reportedly plans to announce a new iPhone SE as soon as next week, and the device is expected to feature a full-screen design with Face ID, instead of a Touch ID home button. That means Apple will no longer sell any new iPhone models with a home button, for the first time since the original iPhone launched. The home button...
iCloud General Feature Redux

iPhone Users Who Pay for iCloud Storage Receive an All-New Perk

Thursday February 6, 2025 11:21 am PST by
If you pay for iCloud storage on your iPhone, Apple has a new perk for you, at no additional cost. iCloud+ is the official name for Apple's paid iCloud storage plans, which range from 50GB for $0.99 per month to 12TB for $59.99 per month in the United States. iCloud+ plans already come with multiple perks for free, such as Hide My Email and HomeKit Secure Video, and now there is another one...
imac video apple feature

Apple to Announce New Products Next Week

Saturday February 8, 2025 10:55 am PST by
Apple has yet to release any new devices in 2025, but at least two new products are expected to be announced next week, according to rumors. Below, we outline the new Apple products that are likely to be unveiled next week. iPhone SE 4 Apple plans to announce the long-rumored iPhone SE 4 as soon as next week, according to Bloomberg's Mark Gurman. The new iPhone SE is rumored to...
iOS 18

iOS 18.4 Will Include These New Features for Your iPhone

Wednesday February 5, 2025 7:15 am PST by
iOS 18.3 was released last month, so the first iOS 18.4 beta should be coming soon. iOS 18.4 is expected to be a more substantial update for the iPhone, with several new features and changes related to Apple Intelligence and beyond. Apple's website suggests that iOS 18.4 will be released in April, following beta testing. Below, we outline what to expect from the update so far. Apple...
oppo find n5 fingers

World's Thinnest Foldable Phone Launches Next Week

Monday February 10, 2025 3:05 am PST by
Oppo has confirmed a February 20 global launch for its Find N5, which the company claims is the world's thinnest device in the foldable phone category. The phone is expected to be re-branded as the OnePlus Open 2 in the US. The Chinese vendor has been teasing the device in the last few weeks, touting its waterproofing and nearly invisible display crease, and highlighting its thinness by compa...
apple silicon mac lineup 2024 feature purple

Apple Increases Mac Trade-In Values for a Limited Time

Sunday February 9, 2025 3:53 pm PST by
Apple today increased its estimated trade-in values for select Mac models in the United States, with the full changes outlined below. Apple says the extra trade-in credit for select Macs is available with the purchase of an eligible new Apple device through April 2. The trade-in values increased by between $10 and $50. Model New Value Old Value MacBook Pro Up to $925 ...
iPhone SE 4 Single Camera Thumb

iPhone SE 4 Launching as Soon as Next Week

Thursday February 6, 2025 3:30 pm PST by
Apple's next-generation iPhone SE could debut as soon as next week with a launch to follow later in February, reports Bloomberg's Mark Gurman. Apple isn't expected to hold an event for the iPhone SE 4, and will instead unveil the device through a press release. The iPhone SE 4 is expected to have an iPhone 14-style design, with Apple eliminating the thick bezels and Touch ID Home button of...
maxresdefault

iPhone SE 4 Launch is Imminent - What to Expect

Friday February 7, 2025 2:42 pm PST by
Apple's next-generation low-cost iPhone is almost here, with rumors suggesting we're going to see it introduced as soon as next Tuesday. With a release happening in the very near future, we thought we'd highlight everything we know about Apple's newest iPhone. Subscribe to the MacRumors YouTube channel for more videos. Design The iPhone SE 4 will look like the iPhone 14, featuring a 6.1-inch ...

Top Rated Comments

Kung gu Avatar
49 months ago
11.4 also fixes excessive ssd writes.

PSA: The SSD disk write issues have been fixed in 11.4 which came out today. The person who found the issue in first place says it was a result of a kernel bug and he also says 11.4 addresses the issue.
Update to 11.4 if your on M1 macs.
Users on this thread also report lower disk writes on 11.4.


[MEDIA=twitter]1396374313591140357[/MEDIA]
Score: 17 Votes (Like | Disagree)
Apple_Robert Avatar
49 months ago

OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
Unfortunately, a lot of people click accept without really thinking about what they are giving system access to and for what reason.
Score: 11 Votes (Like | Disagree)
deevey Avatar
49 months ago

Unfortunately, a lot of people click accept without really thinking about what they are giving system access to and for what reason.
And that folks, is why iOS should remain locked down tight :)
Score: 10 Votes (Like | Disagree)
Rigby Avatar
49 months ago

I assume this will be backported?
According to the post by JAMF it only affects MacOS 11. The security updates for Mojave ('https://support.apple.com/en-us/HT212531') and Catalina ('https://support.apple.com/en-us/HT212530') that also came out today do not list it.
Score: 8 Votes (Like | Disagree)
Guyferd Avatar
49 months ago

So how was it installed? The usual pirated software? Tricking users into downloading it as a fake utility or game?
OK just read the report by JAMF. So it piggybacks on fake Xcode projects, then requires the user to grant access through the Terminal and also through System Preferences. I'm glad this was found and dealt with, but it seems like it's a pretty weak exploit since nearly all of these behaviors should alert a user with more than 2 brain cells to stop the process
Score: 8 Votes (Like | Disagree)
TheYayAreaLiving ?️ Avatar
49 months ago
Thank you for the heads up. Hide your identity and yourself people!!!



Attachment Image
Score: 7 Votes (Like | Disagree)