A critical zero-click vulnerability, identified as CVE-2022-46723, was discovered in macOS Calendar by security researcher Mikko Kenttala in 2022. This vulnerability allowed attackers to exploit the Calendar app without requiring any user interaction. The attack begins with a malicious calendar invite that contains a file attachment with an unsanitized filename. This file allows attackers to perform a directory traversal attack, enabling them to place files in unintended locations on the victim’s filesystem. By overwriting or deleting files in the Calendar app’s sandboxed environment, attackers could manipulate the system to execute harmful code.
The vulnerability also presented the opportunity to escalate the attack by injecting calendar files containing malicious code. These files, designed to execute when macOS is upgraded, particularly from Monterey to Ventura, would trigger automatic execution of .dmg images or .url shortcuts. This could eventually lead to remote code execution (RCE), where attackers could gain full control over the victim’s device. Additionally, Kenttala demonstrated how an attacker could abuse the vulnerability in combination with a security evasion in the Photos app, allowing access to private photos stored in iCloud.
By manipulating the configuration of Photos to use an unprotected directory as the System Photo Library, attackers could bypass the Transparency, Consent, and Control (TCC) protection. This allowed them to gain unauthorized access to iCloud photos and potentially leak sensitive user data. The vulnerability highlights the growing risk of sophisticated zero-click exploits that target personal and sensitive information stored on devices. Without proper safeguards, such vulnerabilities could have widespread consequences for users’ privacy and security.
Apple responded to the discovery by releasing fixes between October 2022 and September 2023. These updates tightened file permissions in the Calendar app and added additional security layers to prevent the directory traversal attack. Apple also advised users to keep their devices up to date and limit app access to sensitive data, such as calendars and photos, to further strengthen security. Despite these patches, the incident underscores the importance of staying vigilant and applying security updates promptly to defend against evolving threats like zero-click exploits.
Reference:
