Security Experts:

Connect with us

Hi, what are you looking for?



Apple Patches macOS Big Sur Vulnerability Exploited by Malware

Apple on Monday announced that software updates for its desktop and mobile operating systems address tens of vulnerabilities, including a zero-day flaw in macOS Big Sur that has been exploited in attacks.

Apple on Monday announced that software updates for its desktop and mobile operating systems address tens of vulnerabilities, including a zero-day flaw in macOS Big Sur that has been exploited in attacks.

Tracked as CVE-2021-30713, the exploited bug has been described as a bypass of the Transparency Consent and Control (TCC) protections, which control what resources applications have access to. An attacker can exploit it to access data on disk, to record the screen, and gain additional permissions without user interaction.

Security researchers with Jamf, a firm that specializes in enterprise management software for Apple devices, say that the vulnerability has been actively exploited by the XCSSET malware, which infects Xcode projects to target Mac developers.

Initially detailed in August 2020, the malware was designed to steal sensitive data and to launch ransomware attacks. In March 2021, Kaspersky discovered that XCSSET had been updated to also target devices powered by Apple’s M1 chip, which was unveiled in November 2020.

Apple describes the zero-day vulnerability as a bypass in Privacy preferences that a malicious application may exploit. The company says it has improved validation to address the issue.

“Apple is aware of a report that this issue may have been actively exploited,” the tech giant notes.

Over 70 other vulnerabilities were addressed in macOS Big Sur, more than half of which were also addressed with software updates for macOS Catalina and macOS Mojave.

The patched flaws could lead to arbitrary code execution, memory leaks, denial of service, data exposure, and elevation of privilege, among others.

Apple also addressed more than 40 vulnerabilities with the release of iOS 14.6 and iPadOS 14.6, and also pushed out security updates for tvOS and watchOS, each with patches for more than 20 bugs.

Safari 14.1.1 was released this week with fixes for 10 security holes, all affecting the WebKit component. The bugs could be abused for code execution, cross-site scripting (XSS), access to restricted ports, information leaks, or denial of service.

Details on the newly released software updates and the vulnerabilities they address can be found on Apple’s security updates page.

Related: Apple Patches Security Bypass Vulnerability Impacting Macs With M1 Chip

Related: Apple iOS 14.5 Patches 50 Security Vulnerabilities

Related: Apple Patches Under-Attack iOS Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.