A safety researcher has detailed an outdated hack in macOS that gave hackers full entry to a person’s iCloud, needing solely a calendar invite to succeed.
In 2022, safety researcher Mikko Kenttala found a zero-click vulnerability inside macOS Calendar that would permit attackers so as to add or delete information within the Calendar sandbox setting. The vulnerability allowed attackers to execute malicious code and entry delicate information saved on the sufferer’s system, together with iCloud Photographs.
The exploit begins with the attacker sending a calendar invite containing a malicious file attachment. The filename is not correctly sanitized, which permits the attacker to carry out a “listing traversal” assault, that means they’ll manipulate the file’s path and place it in unintended areas.
The vulnerability (CVE-2022-46723) lets attackers overwrite or delete information throughout the Calendar app’s filesystem. For instance, if the attacker sends a file named “FILENAME=../../../malicious_file.txt,” it will likely be positioned exterior its supposed listing in a extra harmful location within the person’s filesystem.
Attackers may additional escalate the assault by utilizing the arbitrary file write vulnerability. They may inject malicious calendar information designed to execute code when macOS is upgraded, notably from Monterey to Ventura.
These information included occasions with alert functionalities that triggered when the system processed calendar information. Injected information would include code to robotically launch information like .dmg photographs and .url shortcuts, finally resulting in distant code execution (RCE).
Ultimately, the attacker may fully take over the Mac with out the person’s information or interplay.
Thankfully, the hack is not new. Apple patched it over a number of updates from October 2022 to September 2023. These fixes concerned tightening file permissions throughout the Calendar app and including extra safety layers to forestall the listing traversal exploit.
The best way to keep secure from zero-click assaults
To remain secure from zero-click vulnerabilities just like the one found in macOS Calendar, it is essential to observe a number of protecting measures. In the beginning, all the time maintain your software program updated.
Apple steadily releases patches that tackle safety flaws, and enabling automated updates ensures you may get vital fixes. Lastly, strengthen your system’s safety settings by limiting apps’ entry to delicate information, corresponding to your calendar, photographs, and information.