Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).
"The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker," the advisory warns.
The other two vulnerabilities could be used to crash iCal using a maliciously crafted .ics (iCal) file. Core Security said that it has investigated the possibility of using these two flaws to execute arbitrary code but has not proven such an attack is possible.
In order for an attacker to exploit these vulnerabilities, he or she would have to convince an iCal user to open an .ics file sent via e-mail or hosted on a Web server. An attacker could trigger the exploits directly if he or she had the ability to add or modify files on a CalDAV server.
According to a time line provided by Core Security, the company notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn't. Core Security then rescheduled publication of information about the vulnerabilities for April. Communication between the two vendors continued, with further promises and postponements. Finally, Core said it would publish the information whether or not Apple had addressed the vulnerabilities.