A series of critical, medium, and low-severity vulnerabilities in macOS were exploited through a zero-click chain, potentially compromising iCloud data and undermining the security reputation of macOS.
The exploit began with a flaw in the handling of files attached to Calendar events. This flaw allowed researcher Mikko Kenttälä to achieve remote code execution on targeted systems, gaining access to sensitive data such as iCloud Photos. Notably, the exploit did not require any user interaction, bypassing Apple’s Gatekeeper and Transparency, Consent, and Control (TCC) protections.
Zero-Click Exploit Chain in macOS
The initial critical bug in the chain, CVE-2022-46723, allowed attackers to send a calendar invite containing a malicious file, exploiting macOS’s failure to properly vet filenames. This flaw enabled attackers to execute arbitrary code and manipulate system files without user interaction.
One of the most concerning aspects of the exploit was the potential for path traversal, allowing attackers to escape the Calendar’s sandbox and access sensitive system locations.
Kenttälä leveraged this exploit to manipulate files during an operating system upgrade, facilitating the execution of further malicious actions, including mounting network shares and launching harmful applications.
Undermining Apple’s Native Security Controls
The subsequent malicious app exploited a Gatekeeper bypass, replacing iCloud Photos’ configuration file with a malicious one. This action circumvented macOS’s TCC protection, allowing for the theft and exfiltration of photos to external servers.
Despite the critical security features in macOS, the exploit chain highlighted vulnerabilities that enabled attackers to evade these protections and access sensitive data.
Apple addressed and patched the vulnerabilities in the exploit chain between October 2022 and September 2023.
Don’t miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!
