iCal vulnerabilities put Mac OS X users at risk

Summary:Heads up to Mac OS X users:  It appears Apple will be shipping high-priority security patches sometime today. (See important update at the end)According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

iCal vulnerable to remote code execution flaws
Heads up to Mac OS X users:  It appears Apple will be shipping high-priority security patches sometime today. (See important update at the end)

According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

The Core advisory was coordinated with Apple's security team so it's a safe bet we will see a big software update later today with patches for multiple vulnerabilities.

From Core's alert (not yet available online):

The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Vulnerable packages include iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).

Core said the flaws could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.

In all three cases detailed in the advisory, an improper sanitization affects the parsing of the calendar file format for sharing calendar events. This means that a malicious iCalendar file may be sent via e-mail or posted in a Web service to trigger the vulnerabilities when the victim application opens or updates the file on his/her computer.

This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Apple's iCal users are strongly urged to look out for -- and install -- the patches using the Software Update mechanism built into Mac OS X.

UPDATE:  I'm told that Apple's patch has slipped and will not be released today.   In the circumstances,  beware of strange links and e-mails with requests to add/open calendar (.ics) files.

Topics: Apple, Hardware, Operating Systems, Security, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.