iCal vulnerabilities put Mac OS X users at risk

iCal vulnerabilities put Mac OS X users at risk

Summary: Heads up to Mac OS X users:  It appears Apple will be shipping high-priority security patches sometime today. (See important update at the end)According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

SHARE:

iCal vulnerable to remote code execution flawsHeads up to Mac OS X users:  It appears Apple will be shipping high-priority security patches sometime today. (See important update at the end)

According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

The Core advisory was coordinated with Apple's security team so it's a safe bet we will see a big software update later today with patches for multiple vulnerabilities.

From Core's alert (not yet available online):

The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Vulnerable packages include iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).

Core said the flaws could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.

In all three cases detailed in the advisory, an improper sanitization affects the parsing of the calendar file format for sharing calendar events. This means that a malicious iCalendar file may be sent via e-mail or posted in a Web service to trigger the vulnerabilities when the victim application opens or updates the file on his/her computer.

This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Apple's iCal users are strongly urged to look out for -- and install -- the patches using the Software Update mechanism built into Mac OS X.

UPDATE:  I'm told that Apple's patch has slipped and will not be released today.   In the circumstances,  beware of strange links and e-mails with requests to add/open calendar (.ics) files.

Topics: Apple, Hardware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • This is really starting to annoy me

    Apple is a multi-billion dollar company. Hire some of these code
    jockeys to hammer your product BEFORE you release it. If they
    can find it after it's released, you can pay them to find it before
    you release. It's this little thing called quality control.
    frgough
    • ummmm

      Microsoft is a multi-multi billion dollar company..... You think they care about quality control? Um mm "no" There's not a single software in the world that is perfectly bug-less.
      If it was possible to check every scenario of a software use it would have been done many times. Don't be hating Apple because they not perfect. Have some Microsoft.
      exxtraz
      • MS' quality is irrelevant

        to Apple's.

        In addition, your argument is bogus. People ARE finding these
        things after the product is released. People who have a passion
        for finding this sort of stuff, who have the talent for knowing
        where to look to find the exploits and flaws.

        Hire them and put them to work BEFORE you release your
        product.

        The created is never greater than the creator. MS and Apple
        don't find these things because they don't want to pay the
        money to find them.
        frgough
        • Two points...

          First of all putting such people on the payroll might
          hamper their desire/abilities to do what they do. It's far
          easier to be a rebel when on is not part of any given
          system.

          More importantly how long did it take even these folks to
          find these flaws? If it would have delayed Leopard for
          what a month or three maybe it would have been worth it.
          But it seems too me that Leopard has been out for
          sometime now right? When is enough time..... enough?
          What if another flaw is found in Leopard in another 6
          months. Should Apple have waited for that code breaker
          to do his/her thing that long as well?

          Pagan jim
          James Quinn
          • Exactly Jim.

            I agree with you. And the sheer volume of Apple bugs across all of their products would make it look like junk. <br><br>
            Better to release it and let bug PR handle it from there. Afterall, they know there is another vendor that draws all ire and they will not get dinged more than a few short blogs here and there on their Monster and Mega patch releases several times each year. <br><br>
            ;)
            <br>
            Hey, where you been James?
            xuniL_z
        • Dreaming

          If you seriously expect there never to be any security issues with any software ever after it's released can I suggest you just pull your ethernet cable out or turn off your wireless right now. Or perhaps just avoid clicking on random iCal invitations from people you don't know.
          euan.johnstone@...
      • Hey,

        1999 called and wants their stupid Microsoft jabs in non microsoft related stories. <br><br>
        If Apple sucks, pretend Microsoft sucks more. darrrr.

        <br><br>
        Apple does have the upper hand over *all* OSes however and I have to admit it. Their products get patched more than any other software products on the market by a 20 to 1 margin. <br><br>
        Have some Quicktime2virus.
        xuniL_z
  • iCal it normal

    I think this is very normal. At least Apple cares about their software and releases regular updates. It just getting better and better.
    On personal level, I've never had any problems with iCal. Works for me like no other.
    exxtraz
    • Well one problem you've had...

      ...is that Apple's known of this vulnerability since January and has not yet patched it.

      Or maybe that's not a problem? Might be no different than other vendors, but if it's OK for Apple to sit on it for months, it's OK for all the other guys too.
      KTLA
  • RE: iCal vulnerabilities put Mac OS X users at risk

    I guess you had to rush the story out in order to make it a
    'zero day vuln'. Which, BTW, makes no sense. But if you
    wrote about Zero Day Exploits, there would be no Mac FUD
    you could spin, would there?

    Also, quit using weasel words. Either remote code could
    be installed, or it couldn't. It doesn't help your case
    (dissing OS X before the entire windoze market falls apart)
    if you say that the flaw 'could' result in a problem. It only
    illustrates that you don't know.
    comp_indiana
    • Core's advisory

      http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2219 it's now public, even though the patch is not yet ready.

      _ryan
      Ryan Naraine
    • What is the difference...

      between us stupid user clicking on a rigged iCal
      file sent by email and a gullible user clicking on
      some other evil file of unknown origin?

      Any user that simply doesn't open files from
      unknown sources is very safe from such
      theoretical exploits. No OS can protect against
      stupid users. There simply is no medicine to
      cure stupidity.

      A pretty girl who ventures into a bad
      neighborhood, alone, at night, has good chance
      at something bad happening to her.
      arminw
  • La la la la I can't hear you

    No no no. This just isn't possible. Apple is perfect -- why, they use ALUMINUM! Just ask any macfanboi.
    Vesicant
    • as apple gets bigger so does the target on their ass

      they need to take security a little more seriously now that they having serious success in the market. At least with Windows you are prepared to get infected. I have a feeling their time is coming for something like blaster with all those Leopard firewall's off by default, or much worse they don't patch as well as they should. There's going to be a lot of spilled latte's, when the hackers put their crosshairs on all those un-patched Mac's.
      tech_walker
  • RE: iCal vulnerabilities put Mac OS X users at risk

    Vulnerable packages include iCal version 3.0.1 on MacOS X
    10.5.1 (Leopard)....

    iCal on my system is at 3.0.2 and OS X is at 10.5.2 so
    evidently this has been patched already.
    dpollard55
    • Pattern

      Does it not appear to you that it is more important for these writers to have a 'hot tip' than to actually have substantial content? I mean, if this were somehow based on existing virus strains that took over yor machine, or bot net beacons that were massively disturbing to the OS X community, then I would understand that hoopla. But as it stands, there is no reason to get so excited about iCal. I can grab any security alert from five months ago and say "MAJOR PROBLEM, TURN OFF YOUR MACHINES UNTIL WE GET THE OFFICIAL LINE ON THIS FROM THE CEO!"
      Thanks for clarifying this 'bug'.
      PS Did you know that Windows 98 was vulnerable? OMG, send in the press!
      gsale51@...
      • 10.5.1 == Win98, Winner of the Hyper Bowl

        I don't think your assessment of the merits of the post is fair. I
        want to hear about vulnerabilities. I'm glad that it seems as
        though our systems are already patched, but there is a nagging
        doubt that the source write-up Mr. Naraine referenced may
        have made a mistake on the recent version numbers.

        Meanwhile, one of the Mac beat guys, Jason O'Grady, is saying
        he rolled back to 10.5.1 because of issues with sound via USB.
        Others may have made essentially the same choice, i.e., not
        install 10.5.2, for other reasons. Adding to the cacophony with
        "Ha Has" and "No way" interferes with the transmission of
        information from the people who know to the people who
        should know.
        DannyO_0x98
      • Hoopla?

        He reported remotely exploitable vulnerabilities with no hoopla in sight. <br>
        They do this for all remotely exploitable vulnerabilities so people know about it. <br><br>
        the only "hoopla" on here is when people like Robin report that Microsoft is losing Apple's data.
        <br><br>
        It may not yet be botnets, but i'm not sure anyone knows for sure. At the rate Apple has been patching OSX, and all other products, if there was someone targeting it, it would be toast now. There just simply is not enough email addresses that are reliably Apple owners. When they get the freely available lists of people and email addresses on line, they know the vast majority are windows users with an Outlook or windows mail client. Simple as that.
        <br><br>
        The days of practical joke attacks by teenagers is over. And as Apple's marketshare increases, it is wise to stay vigilent. 98% of all windows "botnets" are from users following the directions in an email. The code at that link is targeting Windows. When it starts targeting OSX, then there is going to be a problem because the average Mac user thinks, from people on here and the Apple media, the machine is bulletproof.
        <br>
        xuniL_z
  • iCal vulnerabilities...

    ...affect 10.5.1 (current version 10.5.2) of the operating system, and version 3.0.1 of iCal (current version 3.0.2). So if you've bothered to update your system the way you should, you don't have these vulnerabilities. Way to fud the fruit, boys n girls.
    kcsmith2
    • LOL

      LOL... I half expect to find a headline on here saying
      "Vulnerability found in Mac OS 9 and iMovie 1.0" or maybe
      "68K Mac's at Risk of Attack"!
      dpollard55