Zero-Click Vulnerability in Apple Calendar App: System Can Be Hijacked Without Ever Clicking
A critical vulnerability has been discovered in the Calendar app on Apple's macOS and iOS systems that allows system control without requiring user interaction. The vulnerability, identified as CVE-2022-46723, works through malicious calendar invites and, according to cybersecurity researcher Ebubekir Bastama, can still be actively exploited on devices that have not been updated.
Critical vulnerability discovered in Apple's Calendar app
The vulnerability, coded CVE-2022-46723, resides in Apple's Calendar application. The vulnerability allows attackers to write, delete files, and gain full system control without requiring any user interaction on the target system simply by sending a malicious calendar invitation.
It works with Zero-Click feature
The vulnerability in question is one of the types of attacks called 'zero-click', which does not require any interaction from the user. Cybersecurity researcher Ebubekir Bastama, who stated that this vulnerability can be triggered with a malicious .ics calendar file, states that for the vulnerability to work, it is enough for the target to automatically accept incoming calendar invitations.
Open old but still dangerous
According to Ebubekir Bastama, although this vulnerability was discovered in 2022 and a fix was released by Apple, this vulnerability can still be actively exploited on some devices that have not been updated. Users who use older iOS and macOS versions in particular are at serious risk.
Which systems are affected?
This vulnerability is valid for Apple's macOS and iOS operating systems. A similar vulnerability has not yet been detected on Windows and Android systems. Devices that accept automatic calendar invites are particularly targeted.
What can attackers do?
By exploiting the vulnerability, attackers can perform the following actions:
Writing and deleting operations to the file system
Gaining remote code execution (RCE) privilege
Bypassing Gatekeeper via SMB connections
Access personal photos using iCloud sync
All these operations can be performed without any confirmation from the user.
How to protect?
Ebubekir Bastama emphasizes that devices should be kept up to date to protect against such attacks. In addition, the "automatic invitation acceptance" feature should be turned off in the Calendar application, invitations from unknown people should not be opened, and the file system should be checked regularly.
Warning: Unupdated devices are at risk
Bastama states that detecting and fixing such vulnerabilities before they become widespread prevents major data leaks, and that devices that have not received updates may still be actively affected by this vulnerability.
Source: CUMHA - CUMHURS NEWS AGENCY
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
