Apple on Monday announced that software updates for its desktop and mobile operating systems address tens of vulnerabilities, including a zero-day flaw in macOS Big Sur that has been exploited in attacks.
Tracked as CVE-2021-30713, the exploited bug has been described as a bypass of the Transparency Consent and Control (TCC) protections, which control what resources applications have access to. An attacker can exploit it to access data on disk, to record the screen, and gain additional permissions without user interaction.
Security researchers with Jamf, a firm that specializes in enterprise management software for Apple devices, say that the vulnerability has been actively exploited by the XCSSET malware, which infects Xcode projects to target Mac developers.
Initially detailed in August 2020, the malware was designed to steal sensitive data and to launch ransomware attacks. In March 2021, Kaspersky discovered that XCSSET had been updated to also target devices powered by Apple’s M1 chip, which was unveiled in November 2020.
Apple describes the zero-day vulnerability as a bypass in Privacy preferences that a malicious application may exploit. The company says it has improved validation to address the issue.
“Apple is aware of a report that this issue may have been actively exploited,” the tech giant notes.
Over 70 other vulnerabilities were addressed in macOS Big Sur, more than half of which were also addressed with software updates for macOS Catalina and macOS Mojave.
The patched flaws could lead to arbitrary code execution, memory leaks, denial of service, data exposure, and elevation of privilege, among others.
Apple also addressed more than 40 vulnerabilities with the release of iOS 14.6 and iPadOS 14.6, and also pushed out security updates for tvOS and watchOS, each with patches for more than 20 bugs.
Safari 14.1.1 was released this week with fixes for 10 security holes, all affecting the WebKit component. The bugs could be abused for code execution, cross-site scripting (XSS), access to restricted ports, information leaks, or denial of service.
Details on the newly released software updates and the vulnerabilities they address can be found on Apple’s security updates page.