Apple fixes three macOS, tvOS zero-day bugs exploited in the wild

Apple has released security updates to patch three zero-day vulnerabilities that attackers might have exploited in the wild.

In all three cases, Apple said that it is aware of reports that the security issues "may have been actively exploited," but it didn't provide details on the attacks or threat actors who may have exploited the zero-days.

Exploitable for privacy bypass and code execution

Two of the three zero-days (tracked as CVE-2021-30663 and CVE-2021-30665) impact WebKit on Apple TV 4K and Apple TV HD devices.

Webkit is Apple's browser rendering engine used by its web browsers and applications to render HTML content on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS.

Threat actors could exploit the two vulnerabilities using maliciously crafted web content that would trigger arbitrary code execution on unpatched devices due to a memory corruption issue.

The third zero-day (tracked as CVE-2021-30713) impacts macOS Big Sur devices, and it is a permission issue found in the Transparency, Consent, and Control (TCC) framework.

The TCC framework is a macOS subsystem that blocks installed apps from accessing sensitive user info without asking for explicit permissions via a pop-up message.

Attackers could exploit this vulnerability using a maliciously crafted application that may bypass Privacy preferences and access sensitive user data.

Stream of zero-days exploited in the wild

Zero-day vulnerabilities have been showing up in Apple's security advisories more and more often throughout this year, most of them also tagged as exploited in attacks before getting patched.

Earlier this month, Apple addressed two iOS zero-days in the Webkit engine allowing arbitrary remote code execution (RCE) on vulnerable devices simply by visiting malicious websites.

The company has also been issuing patches for a stream of zero-day bugs exploited in the wild over the past few months: one fixed in macOS in April and numerous other iOS vulnerabilities fixed in the previous months.

The company patched three other iOS zero-days—a remote code execution bug, a kernel memory leak, and a kernel privilege escalation flaw—impacting iPhone, iPad, and iPod devices in November.

The Shlayer malware used the macOS zero-day patched in April to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks as an easy way to download and install second-stage malicious payloads.