Apple appeared to be a little slow on the uptake when Core Security Technologies beat the Cupertino-based company to publish what it deemed were three serious security bugs in Apple's iCal application on Wednesday.
Core Security warned in its security advisory that the three vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on affected systems, which could result in a Denial of Service attack or completely crash Apple's iCal application altogether.
Researchers from Core Security published advisories of the flaws and a sample proof-of-concept code, as well as a list of numerous communications between Apple that argue the severity of the flaws.
Core Security contends in documented back-and-forth communication, which it published on its Web site, that it had first notified Apple of the security flaws on Jan. 30. Throughout the past four months, Apple did not take care of the vulnerabilities, and instead continuously requested that publication of the flaws be deferred until a fix became available, according to Core Security.
The security advisory's publication date was postponed numerous times from January until May 21. Since receiving notification of the errors in January, Apple said that it planned to release a security advisory on the iCal errors in early March, then postponed the release date to Mar. 24, April 7, April 28, May 12, and May 19, before the advisory was finally published May 21.
In addition, Apple allegedly argued the severity of some of the security flaws since the errors were first detected -- maintaining that two of the three bugs had no security related consequences.
Apple did not immediately respond to calls from ChannelWeb. Of the three errors, a potential memory corruption error is the most serious, which results from a resource liberation bug that can be triggered with a specially-crafted malicious calendar file, Core Security said.
Meanwhile, the other two glitches could lead to a crash of the entire iCal application stemming from errors triggered while parsing a malformed ics file.
While all three flaws are considered serious, only one of them could allow an attacker to execute malicious code to infect users' computers. An attacker could unleash an exploit in a client-side attack by enticing a user to open or click on a malicious file delivered via e-mail or hosted on a malicious Web site. Exploitation could also occur without user consent if the attacker had access to legitimately add or modify calendar files on a CalDAV server.
The iCal application is Apple's version of a personal calendar, which can be used as a standalone application or a client-side component to a calendar server for multiple shared calendars running on Mac OS X operating system.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
