Apple addresses three zero-day flaws actively exploited in the wild

Pierluigi Paganini May 25, 2021

Apple has addressed three zero-day vulnerabilities in macOS and tvOS actively exploited in the wild by threat actors.

Apple has released security updates to address three zero-day vulnerabilities affecting macOS and tvOS which have been exploited in the wild. The macOS flaw has been exploited by the XCSSET malware to bypass security protections.

“Apple is aware of a report that this issue may have been actively exploited.” reads the security advisories published by Apple for the above issues.

The two zero-day flaws that impact WebKit on Apple TV 4K and Apple TV HD devices have been tracked as CVE-2021-30663 and CVE-2021-30665.

The CVE-2021-30663 zero-day is an integer overflow flaw that was addressed with improved input validation, the vulnerability was reported by an anonymous researcher.

The CVE-2021-30665 zero-day is a memory corruption issue that was addressed by the company with improved state management, the flaw was reported by yangkang (@dnpushme) &zerokeeper&bianliang of 360 ATA

The flaws could be exploited by attackers tricking the victims into visiting maliciously crafted web content.

The third zero-day, tracked as CVE-2021-30713, is a bypass of the Transparency Consent and Control (TCC) protections that was addressed with improved validation. The flaw impacts macOS Big Sur devices, it could be exploited by attackers to access data on disk gain additional permissions without user interaction.

Researchers from security firm Jamf reported that the flaw has been actively exploited by the XCSSET malware.

“In the latest macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) which bypassed the Transparency Consent and Control (TCC) framework. This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings.” reads the post published Jamf. “The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior. We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.”

The XCSSET malware was first spotted by Trend Micro last year [PDF] in a campaign targeting Mac users via infected Xcode projects, using two other zero-days to hijack the Safari web bro and inject malicious Javascript payloads.

XCSSET is a Mac malware that was discovered by Trend Micro in August 2020, it was spreading through Xcode projects and exploits two zero-day vulnerabilities to steal sensitive information from target systems and launch ransomware attacks.

According to Trend Micro, the threat allows stealing data associated with popular applications, including Evernote, Skype, Notes, QQ, WeChat, and Telegram. The malware also allows attackers to capture screenshots and exfiltrate stolen documents to the attackers’ server. The malware also implements ransomware behavior, it is able to encrypt files and display a ransom note.

The malware is also able to launch universal cross-site scripting (UXSS) attacks in an effort to inject JavaScript code into the browser while visiting specific websites and changing user’s browser experience. This behavior allows the malicious code to replace cryptocurrency addresses, and steal credentials for online services (amoCRM, Apple ID, Google, Paypal, SIPMarket, and Yandex) and payment card information from Apple Store.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment