Apple Users Wait for iCal Patches

Apple has not moved on vulnerabilities discovered in January and won't say when it will.

Patches for three publicly disclosed bugs affecting Apple's iCal application have yet to become a reality.

The bugs are related to the improper sanitizing of certain fields of iCal calendar files, and can be exploited to launch denial-of-service attacks or to take over vulnerable machines. The vulnerabilities were uncovered in January by researchers from Core Security Technologies, and the security vendor's chief technology officer told eWEEK the company felt it could no longer wait for Apple to fix the issues.

"The original idea was to publish after the fixes came out," said Ivan Arce, Core Security's CTO. "It just didn't happened that the fixes came out...[as] originally planned by Apple."

After months of back and forth, Core Security decided to disclose the bugs May 21 after Apple told the vendor the fixes would be ready May 19. But when Apple failed to deliver a round of patches as promised, the company decided to go ahead and issue an advisory, Arce said.

Apple spokesperson Anuj Nayar said the company would not comment on when the bugs would be fixed.

Apple's Delay Increases Likelihood of .ics Exploits

The most serious of the bugs is the result of a memory corruption vulnerability that can be triggered if a user runs a malicious .ics (iCal calendar file). The other two are null-pointer errors caused when parsing malformed .ics files, Core researchers wrote in the advisory.

Wednesday, researchers wrote only version 3.0.1 of iCal running on the Mac OS X 10.5.1 platform is vulnerable, however, Arce added the most recent version of iCal is vulnerable as well.

The flaws can be exploited by enticing a user into clicking on a malicious .ics file sent through e-mail or via compromised Web sites, the advisory said. In addition, the flaws can be exploited without direct user involvement if the attacker has the ability to legitimately add or modify calendar files on a CalDAV server.

Until a patch is ready, Arce advised users to be weary of .ics received from unknown sources.

"Disclosing information about a vulnerability...may help the bad guys, but fundamentally it's much more important to help the good guys protect themselves," Arce said. "So after a period of time has passed since the original becomes more and more probable that the vulnerability will be widely known even if you don't disclose."