A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.
Using a carefully crafted calendar event, an attacker can retrieve semi-arbitrary files from a target victim’s macOS system, all the victim has to do is click on an invite.
This post explores the potential abuse of some features within the macOS Calendar application. It covers multiple attack paths that could lead to code execution and discusses the protections Apple has in place to mitigate them.