Apple has recently addressed three serious zero-day bugs in macOS and tvOS that were under attack before a fix was deployed.
Zero-Day Bugs In macOS/tvOS
Specifically, Apple has addressed two zero-day bugs in tvOS and one zero-day in macOS under active exploitation.
According to their advisory, one of the two bugs in tvOS include CVE-2021-30663 – an integer overflow vulnerability in Apple WebKit. Exploiting this bug could allow an adversary to execute arbitrary codes on the target device.
Whereas, the second vulnerability, CVE-2021-30665, was a memory corruption issue in WebKit. This vulnerability also allowed arbitrary code execution upon exploitation.
Apple has fixed both these bugs, together with many other vulnerabilities with the release of tvOS 14.5. The updates are available for Apple TV4K and Apple TV HD.
Regarding the third zero-day, it specifically affected the macOS Big Sur. As explained in their advisory, this vulnerability, CVE-2021-30713, could allow an app to bypass Privacy preferences due to permission issue.
Together with other vulnerabilities, Apple has fixed the bug with macOS Big Sur 11.4.
macOS Zero-Day Under Attack By XCSSET malware
Apple has confirmed the active exploitation of the three zero-days in its advisories. While it hasn’t shared many details about it. Yet, Jamf Protect has elaborated in a blog post that the XCSSET malware actively exploited this TCC bypass bug.
The vulnerability basically allows an adversary to gain access to screen recording, disk access, and other permissions. That’s what the malware abused it for.
XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.
The researchers caught this malware abusing the flaw after observing a surge in the malware variants in the wild.
XCSSET isn’t a new malware. Rather it has undergone numerous improvements thereby producing new variants.
Apple users should rush to update their devices, particularly Macs, to avoid potential attacks via zero-day exploits.