Core Security Beats Apple To Publish iCal Bugs

Core Security warned in its security advisory that the three vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on affected systems, which could result in a Denial of Service attack or completely crash Apple's iCal application altogether.

Researchers from Core Security published advisories of the flaws and a sample proof-of-concept code, as well as a list of numerous communications between Apple that argue the severity of the flaws.

Core Security contends in documented back-and-forth communication, which it published on its Web site, that it had first notified Apple of the security flaws on Jan. 30. Throughout the past four months, Apple did not take care of the vulnerabilities, and instead continuously requested that publication of the flaws be deferred until a fix became available, according to Core Security.

The security advisory's publication date was postponed numerous times from January until May 21. Since receiving notification of the errors in January, Apple said that it planned to release a security advisory on the iCal errors in early March, then postponed the release date to Mar. 24, April 7, April 28, May 12, and May 19, before the advisory was finally published May 21.

In addition, Apple allegedly argued the severity of some of the security flaws since the errors were first detected -- maintaining that two of the three bugs had no security related consequences.

Apple did not immediately respond to calls from ChannelWeb. Of the three errors, a potential memory corruption error is the most serious, which results from a resource liberation bug that can be triggered with a specially-crafted malicious calendar file, Core Security said.

Meanwhile, the other two glitches could lead to a crash of the entire iCal application stemming from errors triggered while parsing a malformed ics file.

While all three flaws are considered serious, only one of them could allow an attacker to execute malicious code to infect users' computers. An attacker could unleash an exploit in a client-side attack by enticing a user to open or click on a malicious file delivered via e-mail or hosted on a malicious Web site. Exploitation could also occur without user consent if the attacker had access to legitimately add or modify calendar files on a CalDAV server.

The iCal application is Apple's version of a personal calendar, which can be used as a standalone application or a client-side component to a calendar server for multiple shared calendars running on Mac OS X operating system.