Apple fixes three zero-days, one abused by XCSSET macOS malware
Apple has released security updates to patch three macOS and tvOS zero-day vulnerabilities attackers exploited in the wild, with the former being abused by the XCSSET malware to bypass macOS privacy protections.
In all three cases, Apple said that it is aware of reports that the security issues “may have been actively exploited,” but it didn’t provide details on the attacks or threat actors who may have exploited the zero-days.
Exploitable for privacy bypass and code execution
Two of the three zero-days (tracked as CVE-2021-30663 and CVE-2021-30665) impact WebKit on Apple TV 4K and Apple TV HD devices.
Webkit is Apple’s browser rendering engine used by its web browsers and applications to render HTML content on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.
Threat actors could exploit the two vulnerabilities using maliciously crafted web content that would trigger arbitrary code execution on unpatched devices due to a memory corruption issue.
The third zero-day (tracked as CVE-2021-30713) impacts macOS Big Sur devices, and it is a permission issue found in the Transparency, Consent, and Control (TCC) framework.
The TCC framework is a macOS subsystem that blocks installed apps from accessing sensitive user info without asking for explicit permissions via a pop-up message.
Attackers could exploit this vulnerability using a maliciously crafted application that may bypass Privacy preferences and access sensitive user data.
zero-day used by XCSSET macOS malware
While Apple didn’t provide any details on how the three zero-days were abused in attacks, Jamf researchers discovered that the macOS zero-day (CVE-2021-30713) patched today was used by the XCSSET malware to circumvent Apple’s TCC protections designed to safeguard users’ privacy.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior,” the researchers said.
“We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild.
“The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.”
The XCSSET malware was first spotted by Trend Micro last year [PDF] in a campaign targeting Mac users via infected Xcode projects, using two other zero-days to hijack the Safari web bro and inject malicious Javascript payloads.
A new XCSSET variant was discovered by Trend Micro researchers last month, updated to work on recently released Apple-designed ARM Macs.
Stream of zero-days exploited in the wild
Zero-day vulnerabilities have been showing up in Apple’s security advisories more and more often throughout this year, most of them also tagged as exploited in attacks before getting patched.
Earlier this month, Apple addressed two iOS zero-days in the Webkit engine allowing arbitrary remote code execution (RCE) on vulnerable devices simply by visiting malicious websites.
The company has also been issuing patches for a stream of zero-day bugs exploited in the wild over the past few months: one fixed in macOS in April and numerous other iOS vulnerabilities fixed in the previous months.
The company patched three other iOS zero-days—a remote code execution bug, a kernel memory leak, and a kernel privilege escalation flaw—impacting iPhone, iPad, and iPod devices in November.
The Shlayer malware used the macOS zero-day patched in April to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks as an easy way to download and install second-stage malicious payloads.
Update: Added info on the XCSSET malware using the macOS zero-day, updated title.