Active Exploitation of Zero-Day Vulnerabilities in macOS and tvOS

Published on 25 May 2021

Updated on 25 May 2021

Apple has released security updates to address three macOS and tvOS zero-day vulnerabilities that are being actively exploited.

The vulnerabilities are:

  • CVE-2021-30663: An integer overflow vulnerability in WebKit that allows an attacker to potentially trigger the vulnerability on the targeted device when the user visits a website with malicious exploit code created by the attacker.
  • CVE-2021-30665: A buffer overflow vulnerability in WebKit that allows an attacker to potentially trigger a memory corruption on the targeted device when the user visits a website with malicious exploit code created by the attacker.
  • CVE-2021-30713: A permission issue found in the Transparency, Consent, and Control (TCC) framework that allows an attacker to access sensitive user data and gain Full Disk Access, Screen Recording, or other permissions on the device without requiring the user’s explicit consent.

Successful exploitation of the vulnerabilities may lead to arbitrary code execution and compromise of the macOS and tvOS devices.

Users are advised to enable automatic software update or patch their products to the latest versions immediately:

  • Apple TV 4K and Apple TV HD tvOS 14.6
  • macOS Big Sur 11.4

 

More information is available here:

https://support.apple.com/en-us/HT201222
https://support.apple.com/en-us/HT212529
https://support.apple.com/en-us/HT212532