Apple has issued a patch to fix multiple vulnerabilities across its various platforms including iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability under active attack.
The exploited macOS flaw, tracked as CVE-2021-30713, lies in Apple's Transparency, Consent and Control (TCC) framework, which manages user consent for permissions across local apps. Apple, however, declined to share the exploit mechanism or the effects of successful exploitation. The company fixed the bug with improved validation.
Security firm Jamf, however, noted in a post that the bug has been exploited by the malware known as XCSSET, discovered in August 2020 by Trend Micro. The flaw can be exploited to grant malicious apps permissions including full disk access and access to screen recording, meaning hackers can take screenshots of infected machines.
The news comes shortly after Apple's head of software, Craig Federighi, said that macOS suffers from an "unacceptable" level of malware, which he blamed on the diversity in the sources of software. He was delivering testimony during the Epic Games vs Apple trial.
The XCSSET malware had initially targeted developers by infecting Xcode projects as a means of spreading through Github repositories. The malware is unique in the way that it's been written in AppleScript, which allows it to control script-enabled Mac applications.
RELATED RESOURCE
Four ransomware resiliency challenges you can combat with confidence
The benefits of a multi-layered security solution
The malware initially abused two zero-day exploits when it was first discovered, one to steal Safari browser cookies and another to bypass prompts to install a developer version of Safari on a targeted device. Jamf has confirmed that XCSSET is also abusing the TCC flaw.
Alongside this bug, Apple has patched CVE-2021-30663 and CVE-2021-30665, both lying in the WebKit browser engine in Safari and Apple TV, and both under attack.
The former is described as an integer overflow issue that can lead to remote code execution attacks when processing malicious web content. The latter is described as a memory corruption bug that can also lead to remote code execution attacks.
These three flaws have been patched alongside a handful of vulnerabilities, which are outlined in Apple's latest security update. They include flaws in AMD chips, the login window and the Intel graphics driver, among other areas.
-
Palo Alto Networks snaps up CyberArk in identity security pushNews The acquisition marks the latest in a string for Palo Alto Networks
-
Stack Overflow CEO Prashanth Chandrasekar on embracing AIQ&A The chief executive at the well-known developer resource Stack Overflow talks future strategy and how AI has forced the company to shift its focus
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
