Core Security Publishes Apple iCal Vulnerabilities After Apple Fails To Patch

Researchers from Core Security Technologies yesterday grew weary of waiting for Apple to release a patch for vulnerabilites in Apple’s iCal application, which they discovered several months ago.

The three vulnerabilities affect iCal v3.0.1 that comes as standard with Mac OS X 10.5.1. One other additional bug in iCal Server, a component of Mac OS X Server, was also found.

“Three vulnerabilities discovered in the iCal application may allow 
un-authenticated attackers to execute arbitrary code on vulnerable 
systems with (and potentially without) the assistance from the end user 
of the application or to repeatedly execute a denial of service attack to crash the iCal application.”

Apple patched the server problem in its March update, however no other patches for the iCal bugs were released. Core Security delayed publishing details of the iCal bugs because of Apple’s request for more time. Original the company said the iCal fixes would be included in the March 18 update. It then said late April and subsequently, early May. Apple finally settled on Monday the 19th as the release date for the fix.

As you may have noticed, no patch came. Core Security’s full report including a time-line and log of correspondence with Apple are available here.

TOPICS
Jane McEntegart
Contributor

Jane McEntegart is a writer, editor, and marketing communications professional with 17 years of experience in the technology industry. She has written about a wide range of technology topics, including smartphones, tablets, and game consoles. Her articles have been published in Tom's Guide, Tom's Hardware, MobileSyrup, and Edge Up.

  • Cuddles
    But Apple is better!
    Reply
  • pereira5375
    They likely have no or very little infrastructure to fix vulnerabilities as everybody knows Apples aren't vulnerable in the first place.
    With Apple sitting around 20% laptop market share the clock is just now starting to tick on that theory.
    Reply