Apple has released security updates for iOS, macOS, tvOS, watchOS, and Safari web browser designed to resolve multiple vulnerabilities, including three zero-day flaws that have been exploited in real-world attacks.
Two of the three zero-days are CVE-2021-30663 and CVE-2021-30665 that affect WebKit on Apple TV 4K and Apple TV HD devices. The first vulnerability is an integer overflow issue in WebKit which can be abused for remote code execution by tricking a user into visiting a malicious web page.
The second flaw is described as a boundary error in WebKit, and as in the above case a remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
The third zero-day, tracked as CVE-2021-30713, impacts macOS Big Sur devices. The vulnerability exists due to insufficient validation of user-supplied input within the TCC subsystem. A malicious application can bypass Privacy preferences and gain full disk access, perform screen recording or gain other permissions without needing a user's explicit consent.
While Apple did not provide details regarding attacks exploiting the three zero-days only noting that it is aware of reports that the security issues "may have been actively exploited," researchers at Jamf found that CVE-2021-30713 was used by the XCSSET malware to circumvent Apple’s TCC protections designed to safeguard users' privacy.
“We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” the researchers wrote in a blog post.
First discovered in August 2020, XCSSET is a Mac malware which spreads via Xcode projects and exploits zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks. The malware is able to steal data associated with popular applications, including Evernote, Skype, Notes, QQ, WeChat, and Telegram. The malware also allows attackers to capture screenshots and exfiltrate stolen documents to the attackers’ server.
In March 2021, Kaspersky researchers discovered a new variant of XCSSET compiled for devices with M1 chips.