toggle

AAPL Stock: 442.93 ( + 9.67 )

http://www.macnn.com/articles/08/05/21/ical.vulnerable.to.bad.ics/

iCal vulnerable to malicious .ics files

updated 04:05 pm EDT, Wed May 21, 2008

 

iCal vulnerable to bad ics


A new vulnerability in iCal has been discovered that allows un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. Core Security writes that "the most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker".

Interestingly enough, the other two vulnerabilities, which are also mildly serious, can lead to the iCal program crashing; caused by null-pointer dereference bugs triggered while parsing a malformed .ics files. The exploitation can be made when the user opens a specific .ics file crafted by the hacker to take advantage of any one of the three vulnerabilities.

The malicious file could either be hosted on a web server or e-mailed to the useras a standalone file. Until an official patch is available for download from Apple, iCal users are advised to only open .ics files from a known, verified source.


by MacNN Staff

Post tools:

TAGS :

 security, software, vulnerability, iCal, Apple

Related Articles

Recent Articles

toggle

Comments

  1. MacDan2004

    Fresh-Faced Recruit

    Joined: Dec 2004

    +1
    05/21, 06:51pm | report spam | Reply |

    MacCommonSense

    ...as is the case on any system with any file - why would you open a file from some unknown source?

  1. edinburghmac

    Fresh-Faced Recruit

    Joined: Jul 2004

    +3
    05/22, 05:18am | report spam | (1 reply) Reply |

    already fixed!

    If you read the article the problem is with iCal 3.0.1 on OS X 10.5.1. iCal was updated to 3.0.2 when OS X 10.5.2 came out (in February).

  1. testudo

    Forum Regular

    Joined: Aug 2001

    -5
    05/22, 12:42pm | report spam | Reply |

    make sense...

    First, this is iCal. Who the h*** cares if iCal crashes???

    Second, a lot of people open files from unknown sources. How many web sites do you actually KNOW? I mean, really know. Because, truthfully, even MacNN could be taken over and run by a bunch of ne'er-do-wells bent on crashing your ical program. But you would say you "know" them.

    Third, it's an ics file. Who the h*** would rightly think "Wait, do I know who this came from? Maybe it's a trojan horse/virus". No one does that (esp because who would think an ics file could cause an issue, huh?).

    Fourth, to the "it's already fixed" crowd who always seem to want to make it sound like some problem isn't a problem because Apple 'fixed' it in some release.

    Keep in mind that not all Apple users are sheep (no, they really aren't, no matter how much you think they are). We don't all rush to our Update system and download every update Apple makes available the moment it becomes available. If your computer works perfectly fine, why would you risk an update that may or may not cause issues? Let the sheep download and install the update, and read the reports about what it breaks, what it fixes, and whether any of that is something that is important to you.

    So there are people who are running 10.4.7, or 10.3.3, or 10.5.1. Now they know there's another reason that updating to 10.5.2 might be worth it (albeit a really lame reason).

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented

 

Popular News