Apple iCal hit with three remote vulnerabilities

On Wednesday, Core Security announced three vulnerabilities within iCal, the personal calendar application that ships with the Mac operating system. The vulnerabilities affect iCal version 3.0.1 on MacOS X 10.5.1.

ZDNet's Ryan Naraine quotes an as-yet unpublished Core Security announcement as saying: "The vulnerabilities are caused due to iCal not properly sanitizing certain fields on iCal calendar files (.ics). This can be possibly exploited to crash iCal (first two bugs) or possibly execute arbitrary code (third bug) via malicious calendar updates or by importing a specially crafted calendar file."

Apple was rumored to be releasing a large security patch later on Wednesday, but, in an update to his blog, Naraine says that will not happen. In the meantime, Leopard users should be suspicious of links and e-mails with requests to add/open calendar (.ics) files.

[iertry]

Why is this such a problem? It effects 10.5.1 but Apple has already released 10.5.2 (I'm using it now I just checked) and they are testing 10.5.3

Unless 10.5.1 is a typo this is already fixed is it not?

[Elidine]

Apple is nothing more than a proprietary kick in the nuts. I would never buy Crapple. Ever. I run a successful computer business and I will never sell Crapple products. Crapple?s OS is garbage, its Ipods, Iphones, and Ibooks all suck.

Who would want to waste their time hacking an OS that so few people use? No one, that?s why there aren?t more attacks. Period.

[dadsgravy]

Your stupidity is cute, in a puppy with three legs kind of way.

[ittesi259]

"Who would want to waste their time hacking an OS that so few people use?" I guess you didn't read the article was a hack on a program, not the OS. Of course you were so busy flaming you might have missed it.

[Melekai]

My sympathies go out to you're customers

[Dalkorian]

People like Elidine are proof positive why our children need to finish high school at the very least. "Fat, drunk and stupid is no way to go through life, son."

[MrTangent]

Elidine: where retardation is the default state.

[TiMMay333]

And people take what you say seriously? With your childish remarks, you seem like a 13 year old fan boy. Very Sad

[TiMMay333]

Way to go CNET, lets make people that own a mac nervous about an exploit that's already been fixed... i hope people realize, especially if your reading a security site, that updating your OS is esential, even if you run a mac.

[another_dan]

this is a Zero_Day_exploit? that's what ZDNet called it.
i would guess that most folks running Leopard would already have updated to OS 10.5.2 and iCal 3.0.2. i know i did a few months ago, or whenever that was. hard to remember.

[brunerd]

Well let's say you are a Digidesign Pro-Tools user you can't use 10.5.2 because it broke things that were fixed in 10.5.1? That's one very plausible and actual scenario. Not everyone in a production environment can leap at the newest. What I really think should be mentioned is how "rigged websites" can be used because of that one little checkbox in Safari prefs that says "Open 'Safe' files after downloading" -- what an awful decision. Unless you believe all known exploitable bugs have been fixed in OS X, keep yourself safe from a drive-by download and make sure you turn it off.

[Elidine]

It really doesn't bother me if you think I'm childish. My opinions are my own, and they haven't caused me to lose any business.

I thought to be a fanboy you had to like the product? (hence the fan part)

Using apple is like "going green", it just doesn't make sense.