IOTW: MacOS Security Patches Issued Again

2021 has been tough for Apple, security-wise, as it relates to zero-day exploits. The latest round of malware is able to create an app in Zoom that can secretly record video or audio, take screen shots and gain full disk access. Since the beginning of the year, Apple has had to issue a couple of security patches, first with macOS 11.3 and most recently with MacOS 11.4, both "Big Sur" releases.

The Facts

Since January 9th, hackers have been using Shlayer malware to bypass the Gatekeeper, Notarization and File Quarantine functions in macOS which are designed to prevent users from installing apps that circumvent the Apple App Store. The exploit spreads itself via compromised websites and fraudulent search engine results. When a user clicks on one of the poisonous links, they are prompted with what appears to be a legitimate, branded software update which, when approved by the user, installs the malware.

macOS 11.3, released on May 3, fixed the problem by notifying the user that the application cannot be opened because the developer isn't recognized. Apple might have fixed the problem sooner if it had not dismissed the scope of vulnerable systems. Apparently, Apple knew that the malware affected UNIX systems but it was unaware that derivative operating systems were also affected, including macOS. In addition, there is a sudo flaw which gives regular users administrative capabilities.

The latest exploit necessitated a macOS update to 11.4 on May 24, which prevents XCSSET malware from being installed on a user's device. The spyware is capable of recording Zoom video, taking pictures of the user, gaining full disk access and recording audio. The software, which exploits and hijacks permissions, installs and operates transparently (without notifying users). After that, a human or automated software can record video or audio, take pictures via the camera and gain full disk access.

The latest vulnerability has been listed in the NIST NVE database as CVE-2021-30480. According to the description, this vulnerability must be exploited by someone within the same organization or a person outside the organization who has been accepted as a contact.

Lessons Learned

Apple OSes are not inherently secure – nothing is. For years, Apple PCs were considered more secure than Windows PCs because the latter had a much larger installed base. However, in today's world of iEverything, Apple devices have become targets and users are at risk. 

Quick Tips

1. Install OS patches immediately. Since the exploits covered in this piece are zero-day exploits, this is the only course of action.
2. Use the present situation as a teaching moment to remind end users not to install any applications outside the Apple App Store because they haven't been vetted. While the Zoom-oriented vulnerability does not require the user to take any action, the earlier exploit did require the user to explicitly agree to install a software "update."
3. Remind users to be careful about whom they accept as contacts.
4. Work with IT to control what applications users can access, such as by setting up an internal marketplace of approved apps. When executed well, users still have a "choice" of which apps they use while IT and cyber security maintain centralized control of apps.
5. Monitor device and application use for anomalous application and user behavior.
6. Make sure antivirus software is updated.