Apple released a major security update May 28 that included a patch for vulnerabilities in its iCal calendar application that were disclosed last week.
The iCal bugs were discovered by Core Security Technologies and made public last week after months of back and forth with Apple. The flaws can be exploited to crash iCal or execute arbitrary code via malicious calendar updates or by importing a specially crafted calendar file (.ics).
The iCal bugs were the topic of discussion last week after Core Security researchers opted to release them, since efforts to coordinate disclosure with Apple were unsuccessful. Core Security Chief Technology Officer Ivan Arce said at the time the company felt it could no longer wait for Apple to address the issues.
The update features fixes for more than 40 bugs for a variety of Mac OS X components, including seven fixes for the Flash Player Plug-in-the most serious of which offers hackers the opportunity for remote code execution, according to Apple. Other components addressed by the patch include Help Viewer, Wiki Server, Apache and Image Capture.
The update also features a number of general stability and performance fixes such as enhanced Active Directory, binding and log-in, and improved Safari reliability when connecting to the Internet through a Microsoft ISA proxy. The performance fixes affect iCal, iChat, Mail, Address Book, AirPort, Automator, Parental Controls, Spaces, Time Machine and VoiceOver.
Apple recommends the update for all users of Mac OS X 10.5, 10.5.1 and 10.5.2.