The ZDNet Zero Day security blog published an article about three iCal vulnerabilities, saying that Apple should be patching these security holes very soon. These holes “could enable client-side attacks on Mac users, using rigged Web sites or malicious attachments.” As described on the Core Security web site, the vulnerabilities are the following:
The most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker.
The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed .ics files. The hability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible.
Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct user assitance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server.
The ZDNet article says that Apple will be patching these vulnerabilities soon, but this is atypical of Apple, who generally waits to release several security fixes together in an upgrade. In the meantime, “beware of strange links and e-mails with requests to add/open calendar (.ics) files.”
