在macOS操作系统中新发现的漏洞可能会让攻击者在机主不知情的情况下截屏、录制视频或访问硬盘文件。
网络安全研究公司Jamf发布的一份报告称,恶意软件可以避开名为“透明许可与控制”(Transparency Consent and Control,简称TCC)的隐私保护功能,该功能通过控制应用程序能够访问的资源,从而保护用户隐私。(例如,该功能要求应用程序经用户授权后才可以访问摄像头或麦克风。)
去年首次发现的一种名为XCSSET的恶意软件,利用其他应用程序获得的权限绕过TCC隐私保护功能,广泛访问受感染的Mac。
Jamf写道:“检测小组发现,恶意软件XCSSET一旦安装在受害者的系统上,无需额外权限,即可专门被用来截取用户桌面的屏幕截图。”
当人们在家工作并使用Mac进行Zoom 会议等活动时,这种问题就更加严重,因为此时极易受到攻击。比如,Jamf指出,恶意软件能够连接到Zoom并录制用户的屏幕,但不会给出任何提示。
苹果公司已经发布了一款补丁软件来阻止XCSSET利用此漏洞,并建议人们立即为安装macOS 11.4及以上版本的Mac下载该补丁软件。
这并非苹果今年发生的第一起安全问题。安全专家曾经警告称,4月,AirDrop功能隐藏的漏洞可能会让15亿用户的个人信息面临安全风险。(财富中文网)
翻译:郝秀
审校:汪皓
在macOS操作系统中新发现的漏洞可能会让攻击者在机主不知情的情况下截屏、录制视频或访问硬盘文件。
网络安全研究公司Jamf发布的一份报告称,恶意软件可以避开名为“透明许可与控制”(Transparency Consent and Control,简称TCC)的隐私保护功能,该功能通过控制应用程序能够访问的资源,从而保护用户隐私。(例如,该功能要求应用程序经用户授权后才可以访问摄像头或麦克风。)
去年首次发现的一种名为XCSSET的恶意软件,利用其他应用程序获得的权限绕过TCC隐私保护功能,广泛访问受感染的Mac。
Jamf写道:“检测小组发现,恶意软件XCSSET一旦安装在受害者的系统上,无需额外权限,即可专门被用来截取用户桌面的屏幕截图。”
当人们在家工作并使用Mac进行Zoom 会议等活动时,这种问题就更加严重,因为此时极易受到攻击。比如,Jamf指出,恶意软件能够连接到Zoom并录制用户的屏幕,但不会给出任何提示。
苹果公司已经发布了一款补丁软件来阻止XCSSET利用此漏洞,并建议人们立即为安装macOS 11.4及以上版本的Mac下载该补丁软件。
这并非苹果今年发生的第一起安全问题。安全专家曾经警告称,4月,AirDrop功能隐藏的漏洞可能会让15亿用户的个人信息面临安全风险。(财富中文网)
翻译:郝秀
审校:汪皓
A newly discovered flaw in the macOS operating system could allow intruders to take screenshots, record video, or access files on a hard drive without the machine owner’s knowledge.
A report from cybersecurity research firm Jamf says the bypass performs an end-run around a privacy feature known as Transparency Consent and Control, which controls the resources applications have access to, as a privacy safeguard. (This is the feature that asks for a user's permission when an app wants access to the camera or microphone, for example.)
A type of malware, dubbed XCSSET, which was first discovered last year, has found a way to use permissions obtained by other apps to bypass TCC, giving it broad access to infected Macs.
“The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” Jamf wrote.
That’s especially troublesome in an environment where people are working from home and using their Macs for activities such as Zoom calls, which can be especially vulnerable. In one example Jamf illustrated, the malware was able to hook into Zoom and record the user’s screen without any sort of prompt.
Apple already has issued a patch to keep XCSSET from using this vulnerability and is encouraging anyone running macOS 11.4 or later to download it immediately.
This isn’t the first security issue for Apple this year. Security experts sounded a warning that a feature tied with AirDrop could put the personal information of 1.5 billion users at risk in April.