Core Security Publishes Apple iCal Vulnerabilities After Apple Fails To Patch

Researchers from Core Security Technologies yesterday grew weary of waiting for Apple to release a patch for vulnerabilites in Apple’s iCal application, which they discovered several months ago.

The three vulnerabilities affect iCal v3.0.1 that comes as standard with Mac OS X 10.5.1. One other additional bug in iCal Server, a component of Mac OS X Server, was also found.

The report states,

“Three vulnerabilities discovered in the iCal application may allow 
un-authenticated attackers to execute arbitrary code on vulnerable 
systems with (and potentially without) the assistance from the end user 
of the application or to repeatedly execute a denial of service attack to crash the iCal application.”

Core first got in touch with Apple on January 30th of this year to let the company know they had discovered vulnerabilities in the iCal application and iCal server and that an advisory draft was available. Apple replied the next day and requested said advisory.

Things after that get a little messy with Core repeatedly asking for a release date for patches to fix the bugs (so they could publish the information) and Apple contesting the severity of two of the three iCal vulnerabilities and constantly changing the release date of the patch. Core maintained that all three of the flaws were serious while Apple claimed only one the iCal bugs was a security vulnerability. Apple also claimed that the server bug was not in the iCal Server but the Wiki Server.

Apple patched the server problem in its March update, however no other patches for the iCal bugs were released. Core Security delayed publishing details of the iCal bugs because of Apple’s request for more time. Original the company said the iCal fixes would be included in the March 18 update. It then said late April and subsequently, early May. Apple finally settled on Monday the 19th as the release date for the fix.

Apple requested further delays on May 10th and this is when Core decided it had had enough. The company said it would discuss rescheduling but two days later set the 21st of May as the day the company would publish its findings regardless of whether or not Apple released a patch.

As you may have noticed, no patch came. Core Security’s full report including a time-line and log of correspondence with Apple are available here.