Apple patches bugs in its iCal calendar application a week after security researcher disclosed them.Apple released a major security update May 28 that included a patch for
vulnerabilities in its iCal calendar application that were disclosed last week.
The iCal
bugs were discovered by Core
Security Technologies and made public last week after months of back and forth
with Apple. The flaws can be exploited to crash iCal or execute arbitrary code
via malicious calendar updates or by importing a specially crafted calendar
file (.ics).
The iCal bugs were the topic of discussion
last week after Core Security researchers opted to release them, since
efforts to coordinate disclosure with Apple were unsuccessful. Core
Security Chief Technology Officer Ivan Arce said at the time the company felt
it could no longer wait for Apple to address the issues.
The update features fixes for more than 40 bugs for a variety of Mac OS X
components, including seven fixes for the Flash Player Plug-in—the most serious
of which offers hackers the opportunity for remote code execution, according to
Apple. Other components addressed by the patch include Help Viewer, Wiki
Server, Apache and Image Capture.
The update also features a number of general stability and performance fixes
such as enhanced Active Directory, binding and log-in, and improved Safari
reliability when connecting to the Internet through a Microsoft ISA proxy. The
performance fixes affect iCal, iChat, Mail, Address Book, AirPort, Automator,
Parental Controls, Spaces, Time Machine and VoiceOver.
Apple recommends the update for all users of Mac OS X 10.5, 10.5.1 and
10.5.2.
/ 4 
