Apple has patched three macOS and tvOS zero-day vulnerabilities that attackers have exploited in the wild.
Attackers exploited the macOS bug by deploying the XCSSET malware and bypassing macOS privacy protections.
Apple said that it is aware of reports that all three security issues “may have been actively exploited,” but didn’t provide any further technical details nor who the threat actors were.
Two of the three zero-day bugs (CVE-2021-30663 and CVE-2021-30665) are found in WebKit, a browser rendering engine used on Apple TV 4K and Apple TV HD devices and desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.
An attacker could trigger arbitrary code execution on unpatched devices by using maliciously crafted web content and causing memory corruption.
The third zero-day bug (CVE-2021-30713) is is a permission issue that impacts macOS Big Sur devices and found in the Transparency, Consent, and Control (TCC) framework. The TCC framework is a macOS subsystem that protects sensitive user info from unauthorized access by apps. Attackers could exploit this vulnerability to bypass Privacy preferences and access sensitive user data with the help of a malicious app.
Jamf researchers discovered that the CVE-2021-30713 zero-day patched today was targeted by hackers with the XCSSET malware who managed to circumvent Apple’s TCC protections.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior,” the researchers said.
Researchers discovered this flaw was actively exploited during their analysis of the XCSSET malware.
“The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.”
First spotted by Trend Micro last year [PDF] used against Mac users via infected Xcode projects, XCSSET operators used two other zero-days to compromise Safari and inject malicious Javascript. Trend Micro researchers described a new XCSSET variant last month that works on Apple’s new ARM Macs.
Zero-day vulnerabilities have been showing up in Apple’s security advisories more and more often throughout this year, most of them also tagged as exploited in attacks before getting patched.
Over the past few months, the company has issued multiple patches for zero-day bugs exploited in the wild.
