Feeds

Researchers out Apple over unpatched iCal bugs

Too slow for Core's liking

Protecting users from Firesheep and other Sidejacking attacks with SSL

Researchers at Core Security have released details of three vulnerabilities in Apple iCal scheduling application, after four months of talks with the company.

The security tools vendor said it is important for users to know about the flaws and make security precautions, even without a patch from Apple.

The iCal bugs comprise a single memory corruption flaw and two null-pointer vulnerabilities. The memory corruption bug creates a mechanism for attackers to inject hostile code into affected systems. The null pointer bugs might be used to crash the scheduling program.

Each flaws stems from a failure by Apple software to sanitize part fields within iCal calendar files (.ics). iCal versions 3.01 and 3.02 (the current version) are vulnerable.

The application comes bundled with Mac OS X, so many Apple users are at risk.

There are two possible exploits:

  • Send maliciously constructed electronic calendar updates to iCal users
  • Trick users into importing malformed calendar files from a website under the control of hackers

There's no evidence that black hats have launched attacks based on the flaws, but the opportunity for mischief remains.

In the absence of a patch, the workaround is DON'T. Don't apply calendar updates and Don't accept files from untrusted sources.

Waiting for Godot

Core researchers discovered the flaws in January 2008. Since then they have worked with the vendor through a long and protracted series of exchanges, as detailed in an advisory on BugTraq here. The inconclusive argument revolved around whether the bugs were serious enough to patch and, if so, when Apple would issue patches.

Eventually Core said it would publish an advisory on Wednesday (21 May) in the belief Apple was ready to release a fix on Monday (19 May). In the event this patch failed to appear, and is still missing in action two days later.

Ivan Arce, CTO of Core security, confirmed that no patch had been released for the iCal vulnerabilities by Thursday afternoon. Apple released fixes for a WikiServer vulnerability – notified to it by Core Security at the same time as the iCal bugs – back in February.

iCal comes bundled with Mac OS X. Arce was reluctant to speculate as to why the iCal fixes had taken so long to develop, but suggested that testing might account for the delay.

Apple has a factious relationship with some security researchers. But Arce found the consumer electronics giant no better or worse than many vendors he deals with.

“I don't think its response any worse," he said. "Apple's security team was proactive in responding to us and came back with analysis on the impact of the flaw. We didn't intend to release an advisory before it but we think it was important to get the information out so that people can know how to protect themselves."

“Apple postponed the release of a patch many times," he added. "I think this is more to do more to do with its internal process, and the need to do regression testing, than complexity of the flaws.” ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.