, 28 May 2021

Apple’s Big Sur 11.4 patches a security flaw that could be exploited to take screenshots, record audio and video, and access files on someone else’s Mac without their knowing.

Apple released Big Sur 11.4 this week in order to patch a zero-day flaw that allowed users to take screenshots, record video, and access files on someone else’s Mac without being detected. The exploit provided a way to bypass Apple’s Transparency Consent and Control (TCC) framework, which oversees the permissions granted to each app. The flaw was discovered by cybersecurity firm Jamf when, according to its blog, it observed XCSSET spyware “using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.” The malware was able to evade the TCC by essentially hijacking permissions granted to other apps. 

Avast Security Evangelist Luis Corrons recommends not waiting to update your Mac. “All users are urged to update to the latest version of Big Sur,” he said. “Mac users are accustomed to receiving prompts when an app needs certain permissions to perform its duties, but attackers are bypassing that protection completely by actively exploiting this vulnerability.”

Falsely registered Walmart accounts receive racist emails

A hacker signed up an unknown number of users for Walmart accounts, and then sent them a “Welcome to Walmart” email that contained a racial slur. Walmart spokesperson Molly Blakeman issued a statement saying that the bad actor came from outside the company and had “obvious intent to offend our customers.” She also commented, “We are shocked and appalled to see these offensive and unacceptable emails. We’re looking into our sign up process to ensure something like this doesn’t happen again.” Learn more at CNN Business. 

NHS ready to share 55m patient records with third parties

Unless they opt out before June 23rd, 55 million patients in England will have their medical histories added to a national data pool the NHS plans to share with third parties. According to Financial Times, “NHS Digital, which runs the health service’s IT systems, confirmed the plan to pool together medical records from every patient in England who is registered with a GP clinic into a single lake that will be available to academic and commercial third parties for research and planning purposes.” Opponents of the plan say the NHS has not readily informed the general public, and that many still don’t know the plan is being enacted. 

WhatsApp sues Indian government over new internet laws

Encrypted communication platform WhatsApp filed a lawsuit in Delhi courts this week, suing the Indian government over new laws that require all internet-based communication to be traceable. WhatsApp has more than 400 million users in India, and all of their data would have to be recorded and collected for government storage under the new edict. In its lawsuit, WhatsApp called the laws unconstitutional and a violation of every citizen’s right to the preservation of privacy, as mentioned in an Indian supreme court ruling in 2017. Check out The Guardian for more on this story.

Bose notifies employees about ransomware attack

Sixty days after it was detected, audio tech giant Bose notified affected employees that their HR data had been involved in a ransomware attack. “We did not make any ransomware payment. We recovered and secured our systems with the support of third-party cybersecurity experts,” Bose Media Relations Director Joanne Berthiaume told Bleeping Computer. “During our investigation, we identified a very small number of individuals whose data was impacted, and we sent notices to them directly in accordance with our legal requirements,” she added. Personal information exposed in the attack includes names, Social Security numbers, and salary information, as well as other HR data.  

This week’s ‘must-read’ on The Avast Blog

Technology has made long distance relationships easier than ever -- or has it? How long distance relationships have changed over the 30 years of the internet.