Security company discloses iCal vulnerabilities

Core Security, in an advisory that showed a contentious argument with Apple, disclosed three iCal bugs that attackers could exploit using malicious servers, web sites, and .ics email attachments.

"The vulnerabilities may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application," said Core Security.

The advisory states that iCal 3.01 running on Mac OS X 10.5.1 is still vulnerable, but it's unclear if the latest version of both iCal and Mac OS X (3.02 and 10.5.2, respectively) fix the problems. Apple asked Core Security to delay publication of its findings, but Core Security set May 21 as its drop-deadline.

Core Security first reported the bugs in January. Apple fixed one of the bugs in a security release in March (2008-002), but thought that the others were not as critical as Core Security did. After Apple pushed back the release date for the remaining patches several times, a frustrated Core Security said they would release details of the bugs.

[Via Macworld]

Update (June 1, 2008): The Washington Post notes that Mac OS X 10.5.3 patches the vulnerability.