On last.fm: Listen to Shwayze's Music for Free
BNET Business Network:
BNET
TechRepublic
ZDNet

May 21st, 2008

iCal vulnerabilities put Mac OS X users at risk

Posted by Ryan Naraine @ 9:53 am

Categories: Apple, Vulnerability research, Exploit code, Data theft, Open source, Arbitrary Code Execution

Tags: Apple Macintosh, Vulnerability, Patch Management, Apple Inc., Apple Mac OS X, Calendar File, Apple Mac OS, Operating Systems, Desktops, Security

iCal vulnerable to remote code execution flawsHeads up to Mac OS X users:  It appears Apple will be shipping high-priority security patches sometime today. (See important update at the end)

According to a security alert from vulnerability research and pen testing firm Core Security, Apple is about to release patches for three remotely exploitable security vulnerabilities in iCal, the personal calendar application that ships on Mac OS X.

The Core advisory was coordinated with Apple’s security team so it’s a safe bet we will see a big software update later today with patches for multiple vulnerabilities.

From Core’s alert (not yet available online):

The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Vulnerable packages include iCal version 3.0.1 on MacOS X 10.5.1 (Leopard).

Core said the flaws could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.

In all three cases detailed in the advisory, an improper sanitization affects the parsing of the calendar file format for sharing calendar events. This means that a malicious iCalendar file may be sent via e-mail or posted in a Web service to trigger the vulnerabilities when the victim application opens or updates the file on his/her computer.

This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file.

Apple’s iCal users are strongly urged to look out for — and install — the patches using the Software Update mechanism built into Mac OS X.

UPDATE:  I’m told that Apple’s patch has slipped and will not be released today.   In the circumstances,  beware of strange links and e-mails with requests to add/open calendar (.ics) files.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 35 Talkback(s)
RE: iCal vulnerabilities put Mac OS X users at risk
Well said, brunerd.

I have 2 mac laptops, 1 iMac 24inch,
one Power Mac G4 tower, and 1 duel
quad-core Xeon Mac Pro tower.

I am also a professional Protools user. I
cannot ju... (Read the rest)
Posted by: OmarHash Posted on: 05/27/08 You are currently: Logged In | Log out
This is really starting to annoy me frgough   | 05/21/08
ummmm exxtraz   | 05/21/08
MS' quality is irrelevant frgough   | 05/21/08
Two points... James Quinn   | 05/22/08
Exactly Jim. xuniL_z   | 05/24/08
Dreaming euan.johnstone@...   | 05/22/08
Hey, xuniL_z   | 05/24/08
iCal it normal exxtraz   | 05/21/08
Well one problem you've had... KTLA   | 05/21/08
RE: iCal vulnerabilities put Mac OS X users at risk comp_indiana   | 05/21/08
Core's advisory Ryan Naraine  ZDNet | 05/21/08
What is the difference... arminw   | 05/22/08
La la la la I can't hear you Vesicant   | 05/21/08
as apple gets bigger so does the target on their ass tech_walker   | 05/22/08
RE: iCal vulnerabilities put Mac OS X users at risk dpollard55   | 05/21/08
Pattern gsale51@...   | 05/22/08
10.5.1 == Win98, Winner of the Hyper Bowl DannyO_0x98   | 05/22/08
Hoopla? xuniL_z   | 05/24/08
iCal vulnerabilities... kcsmith2   | 05/21/08
LOL dpollard55   | 05/21/08
While I agree that most Mac users xuniL_z   | 05/24/08
RE: iCal vulnerabilities put Mac OS X users at risk Mohand20000@...   | 05/22/08
Meh! Win3.1   | 05/22/08
RE: iCal vulnerabilities put Mac OS X users at risk anogee   | 05/22/08
Scare tactics. Nice. People   | 05/22/08
They might be "nice" but labarker   | 05/22/08
Scare tactics?? xuniL_z   | 05/24/08
Not FUD brunerd   | 05/22/08
Not so critical holes secwalker   | 05/22/08
Remember the day that only Windows users to worry about email attachments? byronldowell@...   | 05/22/08
Does this mean Apple will be pulling its ads? tonymcs@...   | 05/22/08
why? doh123   | 05/23/08
No, but they do have advertisements that say.... xuniL_z   | 05/24/08
Still better than Vista Chad_z   | 05/26/08
RE: iCal vulnerabilities put Mac OS X users at risk OmarHash   | 05/27/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1160

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

All-in-One Printers

advertisement
Click Here