Apple has released security updates for OS, macOS, tvOS, watchOS, and Safari web browser that fix multiple vulnerabilities, including an actively exploited zero-day vulnerability (CVE-2021-30713) in macOS Big Sur.

The issue is related to the permissions in Apple's Transparency, Consent and Control (TCC) framework in macOS that maintains a database of each user's consents. According to the tech giant, the vulnerability may have been exploited in the wild.

As noted by the specialists of the Jamf company, the vulnerability was being actively exploited by the operators of XCSSET, a malware that's been out in the wild since August 2020 and known to propagate via modified Xcode IDE projects hosted on GitHub repositories. The program creates malicious packages into legitimate applications installed on the target system.

"Exploitation of the vulnerability could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user's explicit consent," the researchers explained.

Two other actively exploited issues (CVE-2021-30663 and CVE-2021-30665) in the WebKit browser engine affecting Safari, Apple TV 4K and Apple TV HD devices have also been fixed.

Source: securitylab.ru