Mikko Kenttälä

Apple has pretty much admitted that TCC doesn't work: They just reduced the payouts for full TCC bypasses om macOS by 83.6%! Until they come to their senses or confirm whether this is here to stay I won't report any TCC bypasses and won't research it either.

@MikaAaltola @SarasvuoJari Olin mukana Effin riveissä ottamassa kantaa tiedustelulainsäädäöntöön (myös kriittisesti) ja sanottava on kyllä, että lakihankkeelle oli todella vähän vastustusta. Jos tähän vaikuttaminen olisi ollut yksi kärkihankkeista, lienemme turvassa.

Tiedustelulain kaataminen oli todennäköisesti yksi Venäjän tiedustelun kärkihankkeista Suomessa. On syytä epäillä, että verkostoja aktivoitiin vaikuttamaan mielipiteisiin ja kääntämään keskustelu lakia vastaan. Vahvistuva suomalainen tiedustelukyky nähtiin Moskovassa uhkana.

Cybersecurity Advice

@RGB_Lights At least some of the swag is used. My go-to training socks—cool cybersocks from @certlv ’s #cyberchess

I’m at the point that I don’t need / want backpacks, notebooks, pens, lights, t-shirts and all of the other conference items. Despite that, it’s still a huge part of the conference experience. Anyone have a good estimate of what percent of giveaway swag is actually used?

This may be good to know for researchers. If you are hunting bounties, it’s not worth reporting your findings. However, if you want to do good and help over 100 million Mac users, you should report it. @Apple will fix it. (3/3)

This is mentioned on current guideline: "For an issue to be eligible for an Apple Security Bounty, the issue you report must occur on the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration* .." (2/x)

Apple decided that the CVE-2022–46723 Calendar Arbitrary File Write vuln did not deserve a bounty because it only affected macOS Monterey, and Ventura was already in the beta phase and did not have this issue, even though Monterey was still the latest version in production. (1/x)

@gergely_kalman Thank you! 😊

@Turmio_ This is absolutely f****ng brilliant, I learned a lot of new tricks. Well done, and thanks for sharing!

I discovered a zero-click vulnerability in macOS Calendar that allowed attackers to add/delete files in the Calendar sandbox. This could lead to code execution and compromise iCloud Photos data. (Now fixed). More details on my blog: mikko-kenttala.medium.com/zero-click-cal… #macOS #infosec

Sorry for the late release, and thanks to those who reminded me—it was the push I needed. :) The original plan was to release it after everything was settled with Apple regarding the bounty.

Do you need to use calendar on your daily work? Its good to remember that it may be attack vector. Stay safe!

Both @ccdcoe and their flagship exercise #LockedShields have grown impressively - with over 3500 participants from 41 nations, this year’s exercise is the largest to date. Whole-of-society approach and international cooperation are a must in defending us in the cyber domain.

@theevilbit Thank you! ☺️

Great talk by @Turmio_ about abusing macOS Calendar for code execution! Title: "Have U Been Invited (episode 2) - MacOS Logic Bugs" youtube.com/watch?v=9NlQXL…

@yo_yo_yo_jbo Absolutely! We need more posts like that!

My macOS sandbox escape doesn't work :( But I learned *so much*, would folks be interested in a blogpost that shows why my research didn't work?

I am thrilled to be on stage and talk at @Disobey_fi Security Theater stage at Saturday 7pm about my most recent findings related to exploiting vulnerabilities in macOS Calendar. This will be a continuation of my last year's presentation. #InfoSec #Apple #disobey2024

@RonMasas Simple and beautiful! 👌👍

I configured my app to be the default program for opening .db files. Then, I used osascript to open TCC.db. macOS treated this action as though the user had directly opened the file, thereby granting my app read and write access to it.

In 2021, I reported my first user TCC bypass, CVE-2021-30946. Here is what I found. 🧵 [1/3]

Thanks to marcan (@marcan/111655847458820583" target="_blank" rel="nofollow noopener">social.treehouse.systems/@marcan/111655…) and @zhuowei (x.com/zhuowei/status…) now we know the original purpose for this unknown hardware feature. Its MMIO debug registers for GPU L2 cache. I am really excited that we are very close to solving this mystery!

Operation Triangulation research by Kaspersky (@oct0xor @bzvr_ @kucher1n ) mentions that M1 chip also "has this unknown hardware feature". My colleague wondered if M1x gfx-asc behaviour doc from Asahi Linux a is related to the exploited MMIO (mis)feature? github.com/phire/m1n1/blo…

Many times security research is not that visually interesting. However Terminal fuzzing with ansi escape art is somewhat hypnotic. 😵‍💫 ( Radamsa in action) #iTerm

The attack against Danish critical infrastructure, report by #SektorCERT on attacks against DK energy sector via vulnerable Zyxel firewalls, forcing operators to go in island mode operation. @MISPProject indicators published via botvrij.eu botvrij.eu/data/feed-osin…