Japan Vulnerability NotesJVN:42691027JVN#42691027: "direct" Desktop App for macOS fails to restrict access permissions
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
5.1%
“direct” Desktop App for macOS provided by L is B Corp. fails to restrict access permissions (CWE-284).
The access control mechanism provided by macOS “TCC (Transparency Consent and Control)” may be bypassed.
Impact
Camrea, microphone, etc. of the device where the product is installed may be used without the user’s consent. As a result, the recorded image/audio data may be obtained.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Note that the existence of the vulnerability has not been confirmed in the App’s Windows version, but as it is using a similar mechanism as the Mac version, an update has been released for it as well.
Products Affected
- “direct” Desktop App for macOS ver 2.6.0 and earlier
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.0004 Low
EPSS
Percentile
5.1%