Even Apple’s Calendar app may be susceptible
A safety researcher has detailed an previous hack in macOS that gave hackers full entry to a person’s iCloud, needing solely a calendar invite to succeed.
In 2022, safety researcher Mikko Kenttala found a zero-click vulnerability inside macOS Calendar that would permit attackers so as to add or delete recordsdata within the Calendar sandbox surroundings. The vulnerability allowed attackers to execute malicious code and entry delicate information saved on the sufferer’s system, together with iCloud Photographs.
The exploit begins with the attacker sending a calendar invite containing a malicious file attachment. The filename is not correctly sanitized, which permits the attacker to carry out a “directory traversal” assault, which means they will manipulate the file’s path and place it in unintended areas.
The vulnerability (CVE-2022-46723) lets attackers overwrite or delete recordsdata throughout the Calendar app’s filesystem. For instance, if the attacker sends a file named “FILENAME=../../../malicious_file.txt,” it is going to be positioned outdoors its meant listing in a extra harmful location within the person’s filesystem.
Attackers might additional escalate the assault by utilizing the arbitrary file write vulnerability. They might inject malicious calendar recordsdata designed to execute code when macOS is upgraded, significantly from Monterey to Ventura.
The complete exploit chain
These recordsdata included occasions with alert functionalities that triggered when the system processed calendar information. Injected recordsdata would comprise code to routinely launch recordsdata like .dmg pictures and .url shortcuts, ultimately resulting in distant code execution (RCE).
Finally, the attacker might fully take over the Mac with out the person’s data or interplay.
Happily, the hack is not new. Apple patched it over a number of updates from October 2022 to September 2023. These fixes concerned tightening file permissions throughout the Calendar app and including further safety layers to stop the listing traversal exploit.
keep secure from zero-click assaults
To remain secure from zero-click vulnerabilities just like the one found in macOS Calendar, it is essential to observe a number of protecting measures. Initially, all the time hold your software program updated.
Apple often releases patches that tackle safety flaws, and enabling computerized updates ensures you may get essential fixes. Lastly, strengthen your system’s safety settings by proscribing apps’ entry to delicate information, akin to your calendar, pictures, and recordsdata.