Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 22nd, 2008

Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability

According to security vendor Core Security Technologies, Apple’s iCal calendar application contains three vulnerabilities that could allow an attacker to crash the application or execute remote code on the victim’s Mac. Core Security released an advisory on Wednesday detailing the vulnerabilities, which affect iCal version 3.0.1 running under Mac OS X 10.5.1 (Leopard).

In order for an attacker to exploit these vulnerabilities, an iCal user must be convinced to open an .ics file sent via e-mail or hosted on a Web server. The ability to add or modify files on a CalDAV server would allow the attacker to trigger the exploits directly. This is the most serious of three vulnerabilities and is possible due to potential memory corruption resulting from a resource liberation bug.

The other two vulnerabilities could be used to crash iCal using a maliciously crafted iCal (.ics) file. There is a possibility to use these two flaws for execution of arbitrary code but so far there is no proof such an attack is possible.

Core Security notified Apple of the vulnerabilities back in January. In February, Apple said it would fix the bugs in its March security patch, but it didn’t. Core Security then rescheduled publication of information about the vulnerabilities for April. So far Apple did not address the vulnerabilities and Core said it is about to publish the information to the public.

Share this item with others:

More on CyberInsecure:
  • Unpatched Memory Corruption Flaw In Latest Firefox 3.5 Can Install Malware
  • Serious Security Flaw In Firefox 3.0.7, Exploit Already Available
  • Attack Code For Mozilla’s Firefox Zero-day Vulnerability Released By Researcher
  • RealPlayer Vulnerability Exploited In The Wild
  • 68 Fixes In Apple Update 10.5.3 and Apple Security Update 2008-003

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Hackers Might Exploit Apple’s iCal Memory Corruption Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.