Turning Your Computer Into a GPS Tracker With Apple Maps
One of the things Apple cares about in terms of its bug bounty program is your location data. Apple rightly categorizes real-time or historical precise location data as "sensitive data" which in some cases qualifies for a significant monetary award.
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze’s CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.
%2Fcdn.vox-cdn.com%2Fuploads%2Fchorus_asset%2Ffile%2F19861742%2Facastro_200331_1777_zoom_0003.0.jpg?width=92&height=&ar=&mode=&format=avif&dpr=2)
Zoom’s latest update on Mac includes a fix for a dangerous security flaw
Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.
Process injection: breaking all macOS security layers with a single vulnerability ·
In macOS 12.0.1 Monterey, Apple fixed CVE-2021-30873. This was a process injection vulnerability affecting (essentially) all macOS AppKit-based applications. We reported this vulnerability to Apple, along with methods to use this vulnerability to escape the sandbox, elevate privileges to root and bypass the filesystem restrictions of SIP.
You're M̶u̶t̶e̶d̶ Rooted
With a recent market cap of over $100 billion and the genericization of its name, the popularity of Zoom is undeniable. But what about its security? This imperative question is often quite personal, as who amongst us isn't jumping on weekly (daily?) Zoom calls? In this talk, we’ll explore Zoom’s macOS application to uncover several critical security flaws. Flaws, that provided a local unprivileged attacker a direct and reliable path to root. The first flaw, presents itself subtly in a core cryptographic validation routine, while the second is due to a nuanced trust issue between Zoom’s client and its privileged helper component. After detailing both root cause analysis and full exploitation of these flaws, we’ll end the talk by showing how such issues could be avoided …both by Zoom, but also in other macOS applications.
Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706 - Microsoft Security Blog
Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared these findings with Apple, and fix for this vulnerability, now identified as CVE-2022-26706, was included in the security updates on May 16, 2022.
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
Apple has pushed a silent Mac update to remove hidden Zoom web server
Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission. The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which […]
Gimmick MacOS Malware Spreads Through Customized Files, Enables MacOS CodeSign Bypass - CloudSEK
We discovered that Gimmick MacOS malware communicates only through their C2 server hosted on Google Drive. The malware was discovered in the first week of May and it has been actively targeting macOS devices
Analyzing a Pirrit adware installer
While Windows holds the largest market share on malware, macOS has its fair share of threats that mostly exist in an adware/grayware area. In this post I want to walk through how a Pirrit PKG file installer works. There are lots of more complex threats, but this is a good place to start if you’re just jumping into analysis. If you want to follow along at home, I’m working with this file in MalwareBazaar: https://bazaar.abuse.ch/sample/d39426dbceb54bba51587242f8101184df43cc23af7dc7b364ca2327e28e7825/.
From the Front Lines | Unsigned macOS oRAT Malware Gambles For The Win
Researchers looking into a new APT group targeting gambling sites with a variety of cross-platform malware recently identified a version of oRAT malware targeting macOS users and written in Go. While neither RATs nor Go malware are uncommon on any platform, including the Mac, the development of such a tool by a previously unknown APT is an interesting turn, signifying the increasing need for threat actors to address the rising occurrence of Macs among their intended targets and victims. In this post, we dig deeper into the technical details of this novel RAT to understand better how it works and how security teams can detect it in their environments.
OverWatch Insights: Reviewing a New Intrusion Targeting Mac Systems
While Mac enterprise networks are not as common as Windows, and subject to less targeting by adversaries, recent CrowdStrike Falcon Overwatch observations shed light on sophisticated tactics, techniques and procedures (TTPs) targeting Mac environments.
