Apple Fixes macOS Zero Day Vulnerability, Abused by XCSSET macOS Malware

Apple has released security updates for a variety of its products, including a patch for three macOS and tvOS zero-day vulnerabilities. The patch comprises a zero-day vulnerability fix that has been exploited in the wild for nearly a year by the XCSSET malware gang. 

Apple said it was aware of allegations that the security flaws “may have been actively exploited” in all three cases, but it didn’t go into detail about the assaults or threat actors who might have exploited the zero-days. 

WebKit on Apple TV 4K and Apple TV HD devices is affected by two of the three zero-days (CVE-2021-30663 and CVE-2021-30665). Webkit is an HTML rendering engine used by Apple’s web browsers and applications on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.Threat actors might use maliciously generated web content to attack the two vulnerabilities, which would allow arbitrary code execution on unpatched devices due to a memory corruption issue. 

The third zero-day (CVE-2021-30713) is a permission issue found in the Transparency, Consent, and Control (TCC) framework that affects macOS Big Sur devices. The TCC framework is a macOS subsystem that prevents installed apps from accessing sensitive user information without asking the user for explicit permission via a pop-up message. A maliciously constructed application could be used to exploit this issue, bypassing Privacy settings and gaining access to sensitive user data. 

While Apple didn’t provide much detail about how the three zero-days were exploited in assaults, Jamf researchers found that the macOS zero-day (CVE-2021-30713) patched was leveraged by the XCSSET malware to get beyond Apple’s TCC privacy measures. 

According to the researchers, “the exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior.” 

“We, the members of the Jamf Protect detection team, discovered this bypass being actively exploited during the additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.” 

Trend Micro’s Mac Threat Response and Mobile Research teams first detected XCSSET in August 2020. According to the researchers, the vulnerability can be used to provide malicious applications with permissions such as disk access and screen recording. As a result of this, threat actors will be able to take screenshots of affected PCs. 

Last month, Trend Micro discovered a new XCSSET version that was upgraded to work with the newly launched Apple-designed ARM Macs. The CVE-2021-30713 vulnerability was discovered shortly after Craig Federighi, Apple’s head of software stated that macOS has an “unacceptable” level of malware, which he linked to the diversity of software sources. 

Apple addressed two iOS zero-days in the Webkit engine earlier this month, allowing arbitrary remote code execution (RCE) on vulnerable devices solely by visiting malicious websites. In addition, Apple has been releasing fixes for a number of zero-day bugs that have been exploited in the wild in recent months, including one that was resolved in macOS in April and a bunch of other iOS vulnerabilities that were resolved in the prior months.