Apple Users Wait for iCal Patches
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Apple Users Wait for iCal Patches

Written By
Brian Prince
Brian Prince
May 22, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Patches for three publicly disclosed bugs affecting Apple’s iCal application have yet to become a reality.

The bugs are related to the improper sanitizing of certain fields of iCal calendar files, and can be exploited to launch denial-of-service attacks or to take over vulnerable machines. The vulnerabilities were uncovered in January by researchers from Core Security Technologies, and the security vendor’s chief technology officer told eWEEK the company felt it could no longer wait for Apple to fix the issues.

“The original idea was to publish after the fixes came out,” said Ivan Arce, Core Security’s CTO. “It just didn’t happened that the fixes came out…[as] originally planned by Apple.”

After months of back and forth, Core Security decided to disclose the bugs May 21 after Apple told the vendor the fixes would be ready May 19. But when Apple failed to deliver a round of patches as promised, the company decided to go ahead and issue an advisory, Arce said.

Apple spokesperson Anuj Nayar said the company would not comment on when the bugs would be fixed.

Apple’s Delay Increases Likelihood of .ics Exploits

The most serious of the bugs is the result of a memory corruption vulnerability that can be triggered if a user runs a malicious .ics (iCal calendar file). The other two are null-pointer errors caused when parsing malformed .ics files, Core researchers wrote in the advisory.

Wednesday, researchers wrote only version 3.0.1 of iCal running on the Mac OS X 10.5.1 platform is vulnerable, however, Arce added the most recent version of iCal is vulnerable as well.

The flaws can be exploited by enticing a user into clicking on a malicious .ics file sent through e-mail or via compromised Web sites, the advisory said. In addition, the flaws can be exploited without direct user involvement if the attacker has the ability to legitimately add or modify calendar files on a CalDAV server.

Until a patch is ready, Arce advised users to be weary of .ics received from unknown sources.

“Disclosing information about a vulnerability…may help the bad guys, but fundamentally it’s much more important to help the good guys protect themselves,” Arce said. “So after a period of time has passed since the original disclosure…it becomes more and more probable that the vulnerability will be widely known even if you don’t disclose.”
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information