Apple rolled out updates to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws.
Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple’s Transparency, Consent, and Control framework in macOS that maintains a database of each user’s consents. Rectified it by validating to an extent
The bypass flaw was being actively exploited by XCSSET, a malware that’s been out in the wild since August 2020 and known to propagate via modified Xcode IDE projects hosted on GitHub repositories and plant malicious packages into legitimate apps installed on the target system. Allowing access to storage, screen recording without any user consent
Taking the form of a AppleScript module, the zero-day flaw allowed the hackers to exploit the devices XCSSET was installed to leverage the permissions that have already been provided to the trojanized application to amass and exfiltrate sensitive information. Such as Zoom, Discord, WhatsApp, Slack, TeamViewer, Upwork, Skype, and Parallels Desktop, to inject the malware (“avatarde.app”) into the app’s folder, thereby inheriting the necessary permissions required to carry out its nefarious tasks and piggyback and execute the malicious app without any consent
Some of other Vulnerability fixed
- CVE-2021-30663 – An integer overflow issue in WebKit, which could be exploited to achieve arbitrary code execution when processing maliciously crafted web content.
- CVE-2021-30665 – A memory corruption issue in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.
Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.