Apple's iCal Vulnerable To Hackers
In order for an attacker to exploit these vulnerabilities, he or she would have to convince an iCal user to open an .ics file sent via e-mail or hosted on a Web server.
Apple's iCal calendar application contains three vulnerabilities that could allow an attacker to crash the application or execute remote code on the victim's Mac, according to security vendor Core Security Technologies.
Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).
"The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker," the advisory warns.
The other two vulnerabilities could be used to crash iCal using a maliciously crafted .ics (iCal) file. Core Security said that it has investigated the possibility of using these two flaws to execute arbitrary code but has not proven such an attack is possible.
In order for an attacker to exploit these vulnerabilities, he or she would have to convince an iCal user to open an .ics file sent via e-mail or hosted on a Web server. An attacker could trigger the exploits directly if he or she had the ability to add or modify files on a CalDAV server.
According to a time line provided by Core Security, the company notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn't. Core Security then rescheduled publication of information about the vulnerabilities for April. Communication between the two vendors continued, with further promises and postponements. Finally, Core said it would publish the information whether or not Apple had addressed the vulnerabilities.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024