Apple recently released related security updates to fix three macOS and tvOS zero-day vulnerabilities that are currently vulnerable to attackers.
The first two vulnerabilities are CVE-2021-30663 and CVE-2021-30665, which affect the WebKit engine on Apple TV 4K and Apple TV HD devices. Webkit is Apple’s browser rendering engine that uses its web browsers and applications to render HTML content on its desktop and mobile platforms, including iOS, macOS, tvOS, and iPadOS. Through these two vulnerabilities, attackers can use maliciously crafted web content to cause memory corruption and then execute arbitrary code on unpatched devices.
Another vulnerability is CVE-2021-30713, which affects macOS Big Sur devices. It is a permission issue found in the TCC framework (Transparency, Consent, Control). The TCC framework is a macOS subsystem that can prevent installed applications from accessing sensitive user information without asking for clear permissions through a pop-up message.
In addition, researchers discovered that the vulnerability has been exploited by XCSSET malware.
However, although Apple said it was aware of reports that these security issues “may have been actively exploited,” it did not provide relevant details.