Last Monday, Apple released macOS 11.4 to patch macOS vulnerability CVE-2021-30713, which was used to take unauthorized screenshots of an end user’s active session to collect sensitive information.
The exploit was revealed by researchers at Jamf through the analysis of the XCSSET malware which employs this vulnerability.
According to Jamf, the vulnerability allowed the XCSSET malware to access those parts of macOS that require permission such as accessing the microphone, webcam or recording the screen without ever getting consent.
The malware gains permissions to these different services by a tricky and ingenuous mechanism.
Apple requires software packages to go through an approval process before initializing in which an alert is sent to the user, telling them about the types of permissions which the software wants.
The XCSSET bypasses the security checks in MacOS by using the permissions of a currently approved software and pretending to be that application at the time of execution.