A critical zero-click vulnerability [2], tracked as CVE-2022-46723 [2], was discovered in macOS Calendar [2], allowing attackers to execute malicious code without user interaction.
Description
This vulnerability involved a lack of file sanitization in Calendar events [1], enabling attackers to add or delete arbitrary files within the Calendar sandbox environment [2]. Attackers could inject malicious calendar files that would execute code during macOS upgrades, particularly from Monterey to Ventura [2], leading to remote code execution (RCE) [2]. The exploit also allowed for the replacement of iCloud Photos configuration with a malicious file [1], bypassing security protections like Gatekeeper and TCC [1]. By changing the configuration of Photos to use an unprotected directory as the System Photo Library [2], attackers could gain access to sensitive iCloud photos. Apple patched these vulnerabilities between October 2022 and September 2023 [1], recognizing the severity of the exploit [1].
Conclusion
The discovery of this vulnerability highlights the importance of timely patching and updating systems to prevent potential security breaches. It also underscores the need for robust file sanitization practices to protect against malicious attacks. Moving forward, it is crucial for users to remain vigilant and implement security measures to safeguard their data and devices.
References
[1] https://www.darkreading.com/vulnerabilities-threats/zero-click-rce-bug-macos-calendar-exposes-icloud-data
[2] https://cybersecuritynews.com/zero-click-macos-calendar-app/
