Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos. [TechWeb]( Follow Dark Reading: [RSS]( September 18, 2024 LATEST SECURITY NEWS & COMMENTARY [Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data]( A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos. ['Marko Polo' Creates Globe-Spanning Cybercrime Juggernaut]( The Eastern European group is actively expanding its financial fraud activities, with its pipelines representing a veritable Silk Road for the transfer of cryptocurrency, and lucrative and exploitable data. [RT News Hosted Russian Cyber Spy Unit, US Says]( US State Department warns that Kremlin-backed media outlets in democracies around the world are hiding Russian cyber spies and actively working to sow discord. [Apple Abandons Spyware Suit to Avoid Sharing Cyber Secrets]( Despite more US sanctions against spyware operators, Apple decided the cost in terms of disclosures about its own anti-spyware efforts was too great. ['CloudImposer' Flaw in Google Cloud Affected Millions of Servers]( Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package. [The Current Cybersecurity Landscape: New Threats, Same Security Mistakes]( It is imperative to develop robust policies for new tech and future-proofing by favoring investments in security. [MORE NEWS /]( [MORE COMMENTARY]( HOT TOPICS [Fortinet Confirms Customer Data Breach via Third Party]( The incident is a reminder why organizations need to pay attention to how they store and secure data in SaaS and cloud environments. [Cybersecurity & the 2024 US Elections]( While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. [Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised]( Three days after Ivanti published an advisory about the high-severity vulnerability CVE-2024-8190, threat actors began to abuse the flaw. [NFL Teams Block & Tackle Cyberattacks in a Digital World]( As the 104th season of the National Football League kicks off, expect cyberattacks aimed at its customers, players, and arenas. [MORE]( PRODUCTS & RELEASES [99% of Business Leaders Have Concerns About the Trustworthiness of Internal Data]( [Cybersecurity Community Celebrates Documentary Premiere at Tampa Theatre]( [South Korea Digital Forensics Market to Hit US $3.52B by 2031]( [Cloud-Native Network Security Up 17%, Hardware Down 2%]( [Over a Third of Cyberattacks Result in Job Losses]( [MORE PRODUCTS & RELEASES]( EDITORS' CHOICE ['Void Banshee' Exploits Second Microsoft Zero-Day]( Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw. LATEST FROM THE EDGE [CISA Urges Software Makers to Eliminate XSS Flaws]( The latest Secure by Design alert from CISA outlines recommended actions security teams should implement to reduce the prevalence of cross-site scripting vulnerabilities in software. LATEST FROM DR TECHNOLOGY [Startup Finds 'Hydden' Identities in IT Environment]( Hydden's platform detects and classifies the organization's identities, accounts, and privileges, regardless of where they reside in the IT environment. LATEST FROM DR GLOBAL [As Geopolitical Tensions Mount, Iran's Cyber Operations Grow]( Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike. WEBINARS - [Get In Tune with Your Cloud Cyber Resilience Strategy]( - [DORA and PCI DSS 4.0: Scale Your Mainframe Security Strategy Among Evolving Regulations]( [View More Dark Reading Webinars >>]( WHITE PAPERS - [Product Review: Trend Vision One Cloud Security]( - [The State of Asset Security: Uncovering Alarming Gaps & Unexpected Exposures]( - [The Anatomy of a Ransomware Attack]( - [Purple AI Datasheet]( - [Ten Elements of Insider Risk in Highly Regulated Industries]( - [Boston Beer Company Transforms OT Security & Reduces Costs]( - [OT Threat Intelligence Report: Fuxnet ICS Malware]( [View More White Papers >>]( FEATURED REPORTS - [Managing Third-Party Risk Through Situational Awareness]( - [2024 InformationWeek US IT Salary Report]( [View More Dark Reading Reports >>]( Dark Reading Daily -- Published By [Dark Reading]( Informa Tech Holdings LLC | Registered in the United States with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA To opt-out of any future Dark Reading Daily Newsletter emails, please respond [here.]( Thoughts about this newsletter? [Give us feedback.](mailto:ContactDarkReading@informa.com) Keep This Newsletter Out Of Your SPAM Folder Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: /cdn-cgi/l/email-protection?sp_aid=125773&elq_cid=22844169&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529&utm_source=eloqua&utm_medium=email&utm_campaign=DR_NL_Dark%20Reading%20Daily_09.18.24&sp_cid=55100&utm_content=DR_NL_Dark%20Reading%20Daily_09.18.24&sp_eh=9ec2e0353644c03ce56099bfb161a49d1f8a5a22f0d884f0cd961b89d205d529#ac If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. We take your privacy very seriously. Please review our [Privacy Statement.]( [© 2024]( | [Informa Tech]( | [Privacy Statement]( | [Terms & Conditions]( | [Contact Us](mailto:ContactDarkReading@informa.com)