Apple released security updates for iOS, macOS, tvOS, watchOS, and the Safari web browser on Monday to patch a number of issues, including an actively exploited zero-day vulnerability in macOS Big Sur, as well as expanding fixes for two previously disclosed zero-day flaws.
The zero-day, identified as CVE-2021-30713, affects Apple’s Transparency, Consent, and Control (TCC) system in macOS, which keeps a record of each user’s consents.
Apple has admitted that the flaw may have been exploited in the wild, but didn’t go into detail.
The problem was fixed, according to the company, with improved validation.
WebKit on Apple TV 4K and Apple TV HD devices were affected by two of the three zero-days (CVE-2021-30663 and CVE-2021-30665).
Webkit is an HTML rendering engine used by Apple’s web browsers and applications on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.
Threat actors may use maliciously designed web content to exploit the two vulnerabilities, which would enable arbitrary code execution on unpatched devices due to a memory corruption problem.
The third zero-day (CVE-2021-30713) is a permission problem in the Transparency, Consent, and Control (TCC) process that affects macOS Big Sur devices.
The TCC framework is a macOS subsystem that prevents installed apps from accessing sensitive user information without first prompting the user for permission via a pop-up notification.
A maliciously designed program may be used to exploit this vulnerability, bypassing Privacy preferences and gaining access to sensitive user data.
XCSSET, a malware that’s been out in the wild since August 2020 and known to spread through changed Xcode IDE projects hosted on GitHub repositories and plant malicious packages into legitimate apps installed on the target machine, is actively exploiting the bypass vulnerability, according to a separate report from mobile device management company Jamf.
According to the researchers, the exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent, which is the default behavior.
Last year, Trend Micro discovered [PDF link] the XCSSET malware in a campaign targeting Mac users through infected Xcode projects, which used two other zero-days to hijack Safari and insert malicious JavaScript payloads.
Trend Micro researchers discovered a new XCSSET version last month, modified to run on Apple’s newly launched ARM Macs.
This year has seen an increase in the number of zero-day vulnerabilities appearing in Apple’s security advisories, with the majority of them being tagged as exploited in attacks before being fixed.
Also read: Apple releases updates for iOS zero-day vulnerabilities
You might also like: Apple bug allows hackers to steal phone numbers and email addresses from AirDrop users
Shlayer malware took advantage of a macOS zero-day vulnerability patched in April to get around Apple’s File Quarantine, Gatekeeper, and Notarization protection checks and download and install second-stage malicious payloads.