CVE-2024-23245 is a vulnerability identified in Apple macOS affecting the way third-party shortcuts interact with applications via Automator, a legacy macOS automation tool. Specifically, certain shortcuts could leverage a legacy Automator action to send events to other applications without obtaining explicit user consent, potentially enabling unauthorized actions within those apps. This behavior undermines the security model by bypassing user approval mechanisms designed to prevent automated or scripted interactions that could lead to data leakage or manipulation. The vulnerability affects multiple macOS versions prior to the patched releases: Sonoma 14.4, Monterey 12.7.4, and Ventura 13.6.5. The CVSS v3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R) to approve the shortcut initially. The impact includes limited confidentiality and integrity loss, as malicious shortcuts could send unauthorized events to apps, potentially accessing or modifying data without explicit user approval. Availability is not impacted. Apple mitigated this vulnerability by adding an additional prompt requiring explicit user consent before such legacy Automator actions can send events to apps, thereby restoring user control. There are no known exploits in the wild at this time, but the vulnerability could be leveraged in targeted attacks or social engineering campaigns that trick users into installing malicious shortcuts. This vulnerability highlights risks associated with legacy automation features and the importance of user consent in inter-application communication on macOS.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of data on macOS systems. Attackers could craft malicious shortcuts that, once approved by a user, send unauthorized events to applications, potentially leading to data exposure or unauthorized modifications. This could be exploited in targeted phishing or social engineering attacks aimed at employees to gain footholds or exfiltrate sensitive information. While availability is not affected, the stealthy nature of such interactions could complicate detection and response. Organizations with significant macOS deployments, especially in sectors handling sensitive data such as finance, healthcare, and government, could face increased risk. The requirement for user interaction limits mass exploitation but does not eliminate risk, particularly in environments where users may be less security-aware. Additionally, the legacy nature of Automator actions means older shortcuts or automation workflows in use could be vectors for exploitation. Failure to patch could also expose organizations to compliance risks under GDPR if personal data confidentiality is compromised.

European organizations should take the following specific steps beyond generic patching advice: 1) Immediately update all macOS devices to versions Sonoma 14.4, Monterey 12.7.4, or Ventura 13.6.5 or later to ensure the vulnerability is patched. 2) Audit and restrict the use of third-party shortcuts and Automator workflows, especially those obtained from untrusted sources. 3) Implement endpoint security monitoring to detect unusual inter-application event activity that could indicate exploitation attempts. 4) Educate users on the risks of installing shortcuts and the importance of scrutinizing consent prompts carefully. 5) Use Mobile Device Management (MDM) solutions to enforce policies limiting shortcut installation or execution where feasible. 6) Review legacy automation scripts and workflows for potential abuse and update or disable those that use legacy Automator actions. 7) Incorporate this vulnerability into incident response playbooks to quickly identify and remediate any exploitation attempts. These targeted measures will reduce the attack surface and improve detection capabilities specific to this vulnerability.