Apple Releases Updates to Fix Three Zero-Days
Apple released updates to macOS 11.4, 10.15, 10.14; iOS and iPadOS 14.6; watchOS 7.5 and tvOS 14.6 to address three zero day vulnerabilities hackers exploited in the wild. The XCSSET malware exploited the weakness in CVE-2021-30713 to bypass macOS privacy protections while CVE-2021-30663 and CVE-2021-30665 impact WebKit on Apple TV 4K and Apple TV HD devices. Zero-day vulnerabilities have been showing up more in Apple’s security advisories, often tagged as exploited prior to fixes being released.
This is the second time this month that Apple has patched actively exploited vulnerabilities. Either Apple's ecosystem is seeing more attention from attackers, or Apple is being more open in announcing if vulnerabilities are already exploited. Note that this round of updates provides patches for older versions of OS X, like Catalina and Mojave. The most important vulnerability is targeting developers via malicious XCode projects. Prioritize these patches if you are using XCode.
Apple is releasing updates as rapidly as they can to thwart exploits actively being exploited. Unfortunately, this is shortening the update cycle. Even though you likely haven’t finished applying the last OS updates from the beginning of May, you need to keep rolling forward to get these deployed. CVE-2021-30713 is a flaw in the Transparency, Consent and Control (TCC) framework, while the others are focused on webkit, which impacts both mobile and desktop operating systems. Push the updates to your ADE devices to have users install immediately so you can focus on desktop devices running the other operating systems.
Read more in
Apple: Apple security updates
Bleeping Computer: Apple fixes three zero-days, one abused by XCSSET macOS malware