A recent discovery by researcher Mikko Kenttälä has shed light on a zero-click exploit chain in macOS that could have dire consequences for users’ security. This chain of vulnerabilities ranged from critical to low severity but when combined, posed a significant threat to the integrity of macOS’s security protections and the safety of iCloud data.
The initial vulnerability, CVE-2022-46723, was identified in February 2023 and was rated as critical, with a CVSS score of 9.8. This flaw allowed attackers to exploit a lack of sanitization of files attached to Calendar events, enabling them to execute remote code on targeted systems without any user interaction. For Kenttälä, this meant he could access sensitive data, such as iCloud Photos, without triggering Apple’s Gatekeeper or Transparency, Consent, and Control (TCC) protections.
The exploit chain continued with the ability to manipulate file names attached to Calendar events, allowing attackers to perform actions like deleting system files and executing malicious code. Kenttälä leveraged this power to create files that would execute further actions during an operating system upgrade, effectively bypassing security checks and launching a malicious app undetected.
The malicious app exploited a vulnerability in macOS’s Gatekeeper, which is designed to prevent untrusted apps from running on Mac systems. This flaw, labeled as CVE-2023-40344 and rated as medium severity, allowed the attacker to replace the configuration file for iCloud Photos with a malicious one. By redirecting Photos to a custom path outside of the TCC protection, the attacker could access and steal photos from the victim’s device without detection.
Despite macOS’s robust security features, this exploit chain highlights the vulnerabilities that exist within the operating system and how attackers can bypass these protections. Callie Guenther, a cybersecurity expert, explained that zero-click vulnerabilities like the one in macOS Calendar can be exploited to subvert security controls and access sensitive data. She noted that similar vulnerabilities exist in Windows as well, showcasing the ongoing battle between security measures and persistent attackers.
Apple responded to these vulnerabilities by issuing patches between October 2022 and September 2023 to address the various weaknesses in the exploit chain. These patches were crucial in safeguarding users against potential attacks and restoring trust in macOS’s security defenses.
In conclusion, the zero-click exploit chain in macOS serves as a reminder of the constant threat landscape faced by digital platforms and the need for continuous vigilance and updates to combat evolving cybersecurity risks. As technology progresses, so do the tactics of malicious actors, making it essential for companies like Apple to stay ahead of the curve in protecting their users’ data and privacy.