Even Apple’s Calendar app could be susceptible
A safety researcher has detailed an previous hack in macOS that gave hackers full entry to a consumer’s iCloud, needing solely a calendar invite to succeed.
In 2022, safety researcher Mikko Kenttala found a zero-click vulnerability inside macOS Calendar that might permit attackers so as to add or delete information within the Calendar sandbox surroundings. The vulnerability allowed attackers to execute malicious code and entry delicate information saved on the sufferer’s machine, together with iCloud Pictures.
The exploit begins with the attacker sending a calendar invite containing a malicious file attachment. The filename is not correctly sanitized, which permits the attacker to carry out a “directory traversal” assault, which means they’ll manipulate the file’s path and place it in unintended areas.
The vulnerability (CVE-2022-46723) lets attackers overwrite or delete information throughout the Calendar app’s filesystem. For instance, if the attacker sends a file named “FILENAME=../../../malicious_file.txt,” it is going to be positioned exterior its meant listing in a extra harmful location within the consumer’s filesystem.
Attackers might additional escalate the assault by utilizing the arbitrary file write vulnerability. They might inject malicious calendar information designed to execute code when macOS is upgraded, significantly from Monterey to Ventura.
The complete exploit chain
These information included occasions with alert functionalities that triggered when the system processed calendar information. Injected information would include code to mechanically launch information like .dmg photographs and .url shortcuts, ultimately resulting in distant code execution (RCE).
Ultimately, the attacker might fully take over the Mac with out the consumer’s data or interplay.
Thankfully, the hack is not new. Apple patched it over a number of updates from October 2022 to September 2023. These fixes concerned tightening file permissions throughout the Calendar app and including further safety layers to forestall the listing traversal exploit.
The right way to keep protected from zero-click assaults
To remain protected from zero-click vulnerabilities just like the one found in macOS Calendar, it is essential to observe just a few protecting measures. At the beginning, at all times preserve your software program updated.
Apple regularly releases patches that tackle safety flaws, and enabling computerized updates ensures you may get essential fixes. Lastly, strengthen your machine’s safety settings by limiting apps’ entry to delicate information, comparable to your calendar, images, and information.