iCal vulnerabilities put Mac OS X users at risk

According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

The Core advisory was coordinated with Apple's security team so it's a safe bet we will see a big software update later today with patches for multiple vulnerabilities.

From Core's alert (not yet available online):

The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Vulnerable packages include iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).

Core said the flaws could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.

In all three cases detailed in the advisory, an improper sanitization affects the parsing of the calendar file format for sharing calendar events. This means that a malicious iCalendar file may be sent via e-mail or posted in a Web service to trigger the vulnerabilities when the victim application opens or updates the file on his/her computer.

This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Apple's iCal users are strongly urged to look out for -- and install -- the patches using the Software Update mechanism built into Mac OS X.

UPDATE:  I'm told that Apple's patch has slipped and will not be released today.   In the circumstances,  beware of strange links and e-mails with requests to add/open calendar (.ics) files.