Bugs Bite Apple iCal Application

Researchers at Core Security find three remotely exploitable bugs in iCal.

Researchers at Core Security Technologies have uncovered three vulnerabilities in Apple's iCal application that hackers can exploit to take over vulnerable machines or launch denial-of-service attacks.

According to an advisory from Core, the most serious of the bugs is the result of a memory corruption vulnerability that can be triggered if a user runs a malicious .ics (iCal calendar file). The other two are null-pointer errors caused when parsing malformed .ics files, Core researchers wrote in the advisory.

iCal is a personal calendar application provided by Apple on Mac OS X and serves as a client-side component to a calendar server, allowing users to create and share multiple calendars. It can also be used as a stand-alone application.

Click here for an analysis of what control Apple provides administrators over updates and patching.

"The reported problems are based on the Apple software improperly sanitizing certain fields of iCal calendar files," Core Security Chief Technology Officer Ivan Arce said in an interview with eWEEK. "The vulnerabilities could potentially be utilized to crash iCal via exploitation of the two null-pointer bugs-or to execute arbitrary code via the memory corruption issue by sending users of the Apple program specially crafted electronic calendar updates, or by convincing users to import specially crafted calendar files from a Web site."

In addition, the flaws could be exploited without direct user involvement if the attacker has the ability to legitimately add or modify calendar files on a CalDAV server, according to the advisory. So far, the security firm has not observed the bugs being exploited in the wild.

Version 3.0.1 of iCal, running on the Mac OS X 10.5.1 platform, is vulnerable, Core researchers wrote.