IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple fixes three macOS flaws under active attack

The patches come days after execs lamented the 'unacceptable' volume of Mac malware

Apple has issued a patch to fix multiple vulnerabilities across its various platforms including iOS, macOS, tvOS, watchOS and Safari, including a macOS Big Sur zero-day vulnerability under active attack.

The exploited macOS flaw, tracked as CVE-2021-30713, lies in Apple's Transparency, Consent and Control (TCC) framework, which manages user consent for permissions across local apps. Apple, however, declined to share the exploit mechanism or the effects of successful exploitation. The company fixed the bug with improved validation. 

Security firm Jamf, however, noted in a post that the bug has been exploited by the malware known as XCSSET, discovered in August 2020 by Trend Micro. The flaw can be exploited to grant malicious apps permissions including full disk access and access to screen recording, meaning hackers can take screenshots of infected machines. 

The news comes shortly after Apple's head of software, Craig Federighi, said that macOS suffers from an "unacceptable" level of malware, which he blamed on the diversity in the sources of software. He was delivering testimony during the Epic Games vs Apple trial.

The XCSSET malware had initially targeted developers by infecting Xcode projects as a means of spreading through Github repositories. The malware is unique in the way that it's been written in AppleScript, which allows it to control script-enabled Mac applications. 

Related Resource

Four ransomware resiliency challenges you can combat with confidence

The benefits of a multi-layered security solution

Windows of a high rise building - Four ransomware resiliency challenges you can combat with confidence - whitepaper from VeritasDownload now

The malware initially abused two zero-day exploits when it was first discovered, one to steal Safari browser cookies and another to bypass prompts to install a developer version of Safari on a targeted device. Jamf has confirmed that XCSSET is also abusing the TCC flaw.

Alongside this bug, Apple has patched CVE-2021-30663 and CVE-2021-30665, both lying in the WebKit browser engine in Safari and Apple TV, and both under attack. 

The former is described as an integer overflow issue that can lead to remote code execution attacks when processing malicious web content. The latter is described as a memory corruption bug that can also lead to remote code execution attacks.

These three flaws have been patched alongside a handful of vulnerabilities, which are outlined in Apple's latest security update. They include flaws in AMD chips, the login window and the Intel graphics driver, among other areas.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more
Mobile

Best business smartphones 2022: The top handsets from Apple, Samsung, Google and more

23 Jun 2022
Apple faces a catch-22 decision with iPhones and USB-C
Policy & legislation

Apple faces a catch-22 decision with iPhones and USB-C

8 Jun 2022
Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022
software development

Apple overhauls SwiftUI navigation and brings a score of new features to developers at WWDC 2022

7 Jun 2022
The EU’s Apple App Store crackdown ‘will fuel cyber attacks’
cyber security

The EU’s Apple App Store crackdown ‘will fuel cyber attacks’

1 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022