Table of Contents
Updates were released by Apple on Monday for iOS, macOS, tvOS, watchOS, and Safari web browser to fix issues, including an actively exploited zero-day flaw.
These flaws include macOS Big Sur and two previously disclosed zero-day flaws.
An issue with permissions in Apple’s Transparency, Consent, and Control (TCC) framework that maintains a database of each user’s consents has been reported as CVE-2021-30713.
Although Apple acknowledged that the issue may have been exploited in the wild, it did not provide details.
As a result of improved validation, the company rectified the problem.
A separate report from mobile device management company Jamf revealed that the bypass flaw was being actively exploited by XCSSET,
A malicious software known for spreading via altered Xcode projects hosted on GitHub repositories and planting malicious packages inside apps installed on the target system.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behaviour,
” Jamf researchers Stuart Ashenbrenner, Jaron Bradley, and Ferdous Saljooki said in a write-up.
Apple zero-day flaw:
A zero-day flaw in AppleScript enabled the hacker to exploit the devices on which XCSSET was installed to exploit the permissions already granted to the trojan zed application to capture and exfiltrate sensitive information.
In particular, the malware determined whether some installed applications, including Zoom,
Discord, WhatsApp, Slack, TeamViewer, Upwork, Skype, and Parallels Desktop, had screen capture permissions,
then exploited them to get its malicious application running.
“By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval,” the researchers noted.
The XCSSET malware was also subject to increased security last month after a new variant was discovered targeting Macs running Apple’s new M1 chip in order to steal cryptocurrency wallet information.
Almost three weeks after Apple addressed the same issues on iOS, macOS, and watchOS earlier this month, two more actively exploited flaws were also fixed in its WebKit browser engine, affecting Safari, Apple TV 4K, and Apple TV HD devices.
- CVE-2021-30663 – a non-concurrent integer overflow issue in WebKit that can be exploited to drive malicious code execution when processing maliciously crafted web content.
- CVE-2021-30665 – A memory corruption issue in WebKit that could lead to arbitrary code execution when maliciously crafted web content is processed.
For Apple users, it is recommended to stay up to date on the latest versions to avoid the risks related to the flaws.