Apple recently patched several vulnerabilities across its lineup of software and operating systems. Included in these patches were fixes for two zero-day vulnerabilities that have been exploited in the wild. Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable.
“Apple patched CVE-2021-30661, a vulnerability in its WebKit Storage component used in its browser engine. The vulnerability exists across its desktop operating system (macOS Big Sur) as well as its mobile devices such as iPhone (iOS), iPad (iPadOS), Apple Watch (watchOS) and its operating system for Apple TV, tvOS. Apple says that an attacker could gain arbitrary code execution when processing maliciously crafted web content. Apple said they’re aware of reports this flaw has been actively exploited in the wild.
“In addition to CVE-2021-30661, Apple also patched CVE-2021-30657, a logic issue in its System Preferences. The vulnerability would allow an attacker to bypass Apple’s Gatekeeper, which is supposed to prevent untrusted software from running on macOS. As an example, Security researcher Patrick Wardle, who wrote about the flaw, created a proof-of-concept of a resume PDF file that, when opened, will launch the system’s Calculator application, a popular benign tactic used to show successful exploitation.
“Researchers at Jamf also documented the in-the-wild exploitation of CVE-2021-30657 by operators of the Shlayer macOS malware. The group has been known to spread their malware through poisoned search results that lead to fake downloads of Adobe Flash Player.
“Users of Apple devices, from laptops to mobile devices should regularly update to the latest version to protect themselves against threats like the ones patched recently.” – Satnam Narang, Staff Research Engineer, Tenable