Security News > 2021 > May > Apple Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS
Apple on Monday rolled out security updates for iOS, macOS, tvOS, watchOS, and Safari web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws.
Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple's Transparency, Consent, and Control framework in macOS that maintains a database of each user's consents.
In a separate report, mobile device management company Jamf said the bypass flaw was being actively exploited by XCSSET, a malware that's been out in the wild since August 2020 and known to propagate via modified Xcode IDE projects hosted on GitHub repositories and plant malicious packages into legitimate apps installed on the target system.
Taking the form of a AppleScript module, the zero-day flaw allowed the hackers to exploit the devices XCSSET was installed to leverage the permissions that have already been provided to the trojanized application to amass and exfiltrate sensitive information.
Also fixed as part of Monday's updates are two other actively exploited flaws in its WebKit browser engine affecting Safari, Apple TV 4K, and Apple TV HD devices, almost three weeks after Apple addressed the same issues in iOS, macOS, and watchOS earlier this month.
Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the flaws.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-08 | CVE-2021-30713 | Improper Input Validation vulnerability in Apple mac OS X and Macos A permissions issue was addressed with improved validation. | 7.8 |