Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

September 17, 2024 at 05:31PM

A zero-click exploit chain in macOS undermines security protections, compromising iCloud data. It starts with a lack of file sanitization in Calendar events, leading to remote code execution and access to sensitive data. Attackers can exploit vulnerabilities to bypass security controls like Gatekeeper and TCC. Apple has since acknowledged and patched the vulnerabilities.

From the meeting notes, it is clear that a zero-click exploit chain in macOS was discovered, compromising the security of macOS systems and potentially compromising victims’ iCloud data. The exploit took advantage of vulnerabilities in macOS’s security protections, namely Gatekeeper and Transparency, Consent, and Control (TCC), allowing an attacker to achieve remote code execution and access sensitive data without any user interaction.

The chain began with a lack of file sanitization in Calendar events, leading to the discovery of a critical vulnerability (CVE-2022-46723) that allowed an attacker to send a calendar invite containing a malicious file, bypassing macOS’s security checks. This exploit could lead to arbitrary file deletion and path traversal on the system.

Subsequently, the attacker was able to launch a malicious app that bypassed macOS’s Gatekeeper security feature and replaced the configuration file associated with iCloud Photos, allowing for the theft and exfiltration of photos to foreign servers.

The exploit chain demonstrated a significant undermining of Apple’s native security controls, and while Apple has acknowledged and patched the vulnerabilities, it highlights the potential for attackers to bypass these protections in both macOS and Windows systems.

It’s important to note that these vulnerabilities have been addressed by Apple in various patches released between October 2022 and September 2023.

In addition, the meeting notes make a reference to the latest episode of the Dark Reading Confidential podcast, featuring a discussion with cybersecurity professionals who were arrested in Dallas County, Iowa, for their pen-testing jobs. It may be worth listening to this podcast for further insights into this incident.

If you have any specific action items or further information needed based on these meeting notes, please let me know how I can assist.

Full Article