• On TV.com: Sexy summer bodies photo gallery
May 21, 2008 11:43 AM PDT

Apple iCal hit with three remote vulnerabilities

by Robert Vamosi

On Wednesday, Core Security announced three vulnerabilities within iCal, the personal calendar application that ships with the Mac operating system. The vulnerabilities affect iCal version 3.0.1 on MacOS X 10.5.1.

ZDNet's Ryan Naraine quotes an as-yet unpublished Core Security announcement as saying: "The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file."

Apple was rumored to be releasing a large security patch later on Wednesday, but, in an update to his blog, Naraine says that will not happen. In the meantime, Leopard users should be suspicious of links and e-mails with requests to add/open calendar (.ics) files.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Add a Comment (Log in or register) (12 Comments)
  • prev
  • 1
  • next
by iertry May 21, 2008 12:02 PM PDT
Why is this such a problem? It effects 10.5.1 but Apple has already released 10.5.2 (I'm using it now I just checked) and they are testing 10.5.3

Unless 10.5.1 is a typo this is already fixed is it not?
Reply to this comment
by Elidine May 21, 2008 12:42 PM PDT
Apple is nothing more than a proprietary kick in the nuts. I would never buy Crapple. Ever. I run a successful computer business and I will never sell Crapple products. Crapple?s OS is garbage, its Ipods, Iphones, and Ibooks all suck.

Who would want to waste their time hacking an OS that so few people use? No one, that?s why there aren?t more attacks. Period.
Reply to this comment
by dadsgravy May 21, 2008 12:55 PM PDT
Your stupidity is cute, in a puppy with three legs kind of way.
by ittesi259 May 21, 2008 12:58 PM PDT
"Who would want to waste their time hacking an OS that so few people use?" I guess you didn't read the article was a hack on a program, not the OS. Of course you were so busy flaming you might have missed it.
by Melekai May 21, 2008 1:36 PM PDT
My sympathies go out to you're customers
by Dalkorian May 21, 2008 4:56 PM PDT
People like Elidine are proof positive why our children need to finish high school at the very least. "Fat, drunk and stupid is no way to go through life, son."
by MrTangent May 22, 2008 9:07 AM PDT
Elidine: where retardation is the default state.
by TiMMay333 May 21, 2008 2:50 PM PDT
And people take what you say seriously? With your childish remarks, you seem like a 13 year old fan boy. Very Sad
Reply to this comment
by TiMMay333 May 21, 2008 2:53 PM PDT
Way to go CNET, lets make people that own a mac nervous about an exploit that's already been fixed... i hope people realize, especially if your reading a security site, that updating your OS is esential, even if you run a mac.
Reply to this comment
by another_dan May 21, 2008 4:58 PM PDT
this is a Zero_Day_exploit? that's what ZDNet called it.
i would guess that most folks running Leopard would already have updated to OS 10.5.2 and iCal 3.0.2. i know i did a few months ago, or whenever that was. hard to remember.
Reply to this comment
by brunerd May 21, 2008 10:49 PM PDT
Well let's say you are a Digidesign Pro-Tools user you can't use 10.5.2 because it broke things that were fixed in 10.5.1? That's one very plausible and actual scenario. Not everyone in a production environment can leap at the newest. What I really think should be mentioned is how "rigged websites" can be used because of that one little checkbox in Safari prefs that says "Open 'Safe' files after downloading" -- what an awful decision. Unless you believe all known exploitable bugs have been fixed in OS X, keep yourself safe from a drive-by download and make sure you turn it off.
Reply to this comment
by Elidine May 22, 2008 5:00 AM PDT
It really doesn't bother me if you think I'm childish. My opinions are my own, and they haven't caused me to lose any business.

I thought to be a fanboy you had to like the product? (hence the fan part)

Using apple is like "going green", it just doesn't make sense.
Reply to this comment
(12 Comments)
  • prev
  • 1
  • next
advertisement

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right