Trend Micro discovered a new variant of the XCSSET malware program spread via infected Xcode projects. The malware itself was stopped, but security researchers missed a vulnerability in macOS that was exploited by it; this has now been patched by Apple in macOS 11.4.
Jamf has reviewed the flaw, and the innovative way in which it was exploited. It turns out that the part of the malware that bypasses macOS security features and infects the Mac is written in AppleScript, and actually exploited no fewer than three flaws.
The malware first takes advantage of the fact that AppleScript can run Terminal commands, including downloading data with the curl command, to retrieve the program code itself, which can then take screenshots and cause other nuisances. Then it bypasses the Gatekeeper by looking for a program you’ve already given permission to take screenshots.
Apple has fixed the bugs in macOS 11.4 by, among other things, ensuring that one program that is inside another no longer inherits the host program’s permission.
As well as this and other important security fixes,
macOS 11.4 brings the new Podcasts subscription service and support for new AMD graphics cards. Here’s
how to update macOS.
If you want some peace of mind regarding future malware outbreaks, check out our guide to the
best Mac antivirus for buying recommendations. Our top pick is
Intego Mac Internet Security X9.
This article originally appeared on
Macworld Sweden. Translation by David Price.