A critical zero-click vulnerability has been discovered in macOS Calendar, allowing attackers to add or delete arbitrary files within the Calendar sandbox environment and execute malicious code without any user interaction.

The vulnerability, found by security researcher Mikko Kenttala in 2022, could also be combined with a security protection evasion in Photos to compromise users’ sensitive iCloud Photos data.

The exploit begins with an attacker sending a malicious calendar invite containing a file attachment with an unsanitized filename. This allows the attacker to perform a directory traversal attack and place the file in unintended locations on the victim’s filesystem.

The vulnerability, tracked as CVE-2022-46723, enables attackers to overwrite or delete files within the Calendar app’s filesystem. Attackers could then escalate the attack by injecting malicious calendar files designed to execute code when macOS is upgraded, particularly from Monterey to Ventura.

These injected files included events with alert functionalities that would trigger when the system processed calendar data. The files would contain code to automatically launch .dmg images and .url shortcuts, eventually leading to remote code execution (RCE).

To demonstrate the severity of the exploit, Kenttala showed how an attacker could abuse Photos to leak private user pictures stored on iCloud.

By changing the configuration of Photos to use an unprotected directory as the System Photo Library, the attacker could bypass the Transparency, Consent, and Control (TCC) protection and gain access to the victim’s iCloud photos.

Apple’s Response

Apple has fixed all of the vulnerabilities between October 2022 and September 2023. The fixes involved tightening file permissions within the Calendar app and adding additional security layers to prevent the directory traversal exploit.

To protect against zero-click vulnerabilities like this one, users are advised to keep their software up to date, as Apple frequently releases patches addressing security flaws. Additionally, restricting apps’ access to sensitive data, such as calendars and photos, can help strengthen device security.

This vulnerability highlights the ongoing threat of increasingly sophisticated attacks targeting users’ private data. Staying vigilant and promptly applying security updates remain crucial in mitigating these risks.