iCal’s vulnerabilities

Security company discloses iCal vulnerabilities

3B23BD0D-4416-41B1-8250-3CFFB5FE4C3C.jpgCore Security, in an advisory that showed a contentious argument with Apple, disclosed three iCal bugs that attackers could exploit using malicious servers, web sites, and .ics email attachments.

“The vulnerabilities may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application,” said Core Security.

The advisory states that iCal 3.01 running on Mac OS X 10.5.1 is still vulnerable, but it’s unclear if the latest version of both iCal and Mac OS X (3.02 and 10.5.2, respectively) fix the problems. Apple asked Core Security to delay publication of its findings, but Core Security set May 21 as its drop-deadline.

Core Security first reported the bugs in January. Apple fixed one of the bugs in a security release in March (2008-002), but thought that the others were not as critical as Core Security did. After Apple pushed back the release date for the remaining patches several times, a frustrated Core Security said they would release details of the bugs.

(Via (TUAW).)

Leave a comment

Filed under Apple, apple apps, interesting

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s