The Mac Observer

Skip navigational links

Choose text size: Select small text. Select medium text. Select large text.

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws

Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws

by , 9:15 AM EDT, May 22nd, 2008

After attempting to work with Apple for several months on what it claims are serious security flaws in iCal, security firm Core Security Technologies (CST) published the flaws late on Wednesday. The company published notice of the bugs, along with sample proof-of-concept code, and a log of contacts between Apple that debate the severity of the flaws and threaten publication unless Apple commits to a date for fixing the flaws.

According to CST, the flaws, "discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application."

The company also said that exploiting the vulnerabilities is possible via a client-side attack with user assistance, which means getting the victim to click on a specially crafted .ics file. Worse, it would also be possible to exploit the flaw if someone has the ability to modify or add a calendar file on a CalDAV server to which the victim was subscribed.

According to the log of contacts with Apple CST published, the firm first notified Apple of the flaws January 20th, 2008. Over the following months, the two companies exchanged contacts that acknowledged the flaws and debated their severity. CST maintained throughout the exchanges that they were serious flaws, but delayed publishing them as Apple asked for additional time.

Apple eventually told CST that it would release a security fix on May 19th, 2008, and Core set May 21st as the final date for publishing the flaws. As the 19th came and went without that update, CST followed through and published the information on its own Web site.

There has traditionally been some friction between security firms and operating system vendors, usually Microsoft or Apple. The former tend to want patches released ASAP and the publicity of having found the flaws, while the OS vendors want to be able to take as long as they feel they need to dealing with the problem without having to worry about the pressure of having the flaw known.

This has occasionally led to actions such as those of CST, where the security firm or white hat hacker releases the information after tiring of awaiting action from the vendors.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:George Bailey Posts: 20 Joined: 26 Jun 2006
Thu May 22, 2008 2:21 pm Subject: Better

Well this article is so much better written than its counterpart on IGM that they ought to either quit publishing or find a real writer.


 Reply | Quote
Close Name:macmikey Posts: 22 Joined: 18 Feb 2005
Thu May 22, 2008 3:34 pm Subject: Tiring of waiting?

I'm confused here.

Whose computer is jeopardized when CST puts even a proof-of-concept security exploit in the wild? Oh, right. It's MINE. And YOURS.

CST isn't simply saying, "If Apple doesn't tell everyone about this security flaw and fix it, we will." They're actually saying, "If Apple doesn't tell everyone about this security flaw and fix it, we'll show everyone how to exploit it."

If this is actually the practice of *all* security companies, perhaps their should be a DoJ investigation here. Being lax (a la Microsoft and, apparently, Apple) on security breaches is not nearly on the same level as being accomplice to taking advantage of it.

I don't mind that CST found the flaw. I'm kind of glad they did. But they're not holding on to just an arbitrary, abstract piece of information. They've got a weapon here, and they're not just telling the best and worst of us that they've got it--they're telling the best and worst of us how we can get one, too. This is not the same as saying, "There's a guy in Santa Barbara with the Ebola virus, and if Apple doesn't tell everyone, we will." It's more like, "There's a guy in Santa Barbara with the Ebola virus, and if Apple doesn't tell everyone, we're going to take this guy to every major city in the U.S. until they do."

I think the argument that Apple isn't moving "fast enough" for crackpot CoreSecurity is a completely moot point. The fact is, it is not in CoreSecurity's rights to hold ***my*** computer's security hostage with this information just so they can get some publicity.

Perhaps they can make a PRIVATE, SECURE filing with some government agency that they've found the security hole, and could demand a certain amount of $$$ from Apple for finding it. But it is ***NOT*** their prerogative to open up iCal users to any security flaw, whatever its size, just because Apple doesn't jump when they say to.

As an iCal user, do I have the right to sue CST as an accomplice to any future iCal-borne attack because my computer has been made vulnerable, since they've proliferated the exploit? They're AT LEAST as responsible as Apple.


 Reply | Quote
Close Name:jbruni Posts: 105 Joined: 14 Jul 2006
Thu May 22, 2008 4:16 pm Subject: Disclosure

I read the history on CST's web site about their exchange with Apple. It appears that Apple has been quite forthcoming and responsive to CST. All I see is that CST believes a "null-pointer" bug is a "security flaw" whereas Apple doesn't. So that's the crux of it. Everything is now a security flaw.


 Reply | Quote
Close Name:Guest
Thu May 22, 2008 5:29 pm Subject: "Low risk" exploit that required alarm editing

Two of the issues quoted will crash iCal, and the third leads to memory corruption, which "might" allow an attacker to execute arbitrary code.

BUT... in order to do it, the user must import the ical entry, open it up for editing and change the alarm setting on the item! Even if someone puts it onto a server, you must still manually edit the alarm. (http://db.tidbits.com/article/9624).

So...until a patch is issued, if someone sends you an invitation, just don't edit the alarm, and you will be fine.


 Reply | Quote
Close Name:Guest
Thu May 22, 2008 5:34 pm Subject: Release date for 10.5.3

Do you think that it is possible that the slipping dates published reflect the delays in getting 10.5.3 out?

There are 8 iCal fixes listed in the developer seed notes for 10.5.3.....


 Reply | Quote
Close Name:Guest
Fri May 30, 2008 5:11 pm Subject: the sky did not fall

the software update is out now and there are no indications that neither of the bugs have been exploited. Apparently all those arguing that CST was putting people at risk by letting them know fo the problem and the way to avoid attacks were simply wrong and barking at the wrong tree. The disclosure talked about 3 bugs: one that let attackers take control of computer that is vulnerable the other two let attackers crash somebody else's iCal application. the first one is fixed the other two are not.


 Reply | Quote
Close Name:Guest
Sat May 31, 2008 10:34 am Subject: The REAL iCal Security Issue

The lack of authentication for published iCal calendars is what I think is the REAL security issue.

If I know someone's .Mac username, there is a very good chance that I can subscribe to their home.ics calendar file from ANY Mac or PC (Outlook 2k7) without being prompted for authentication! I do a lot of calendar publishing/subscribing between two copies of Outlook and of course iCal, and using icalx and calgoo I am able to make it so that calendars published to those services require authentication to subscribe to them, but NOT CALENDARS PUBLISHED FROM ICAL! They are free for all to see.

Pathetic.

It's stuff like this and the default configuration of mail.app to not encrypt login/password info even on Apple's own .mac service (using mail.app) that makes me cringe every time Apple touts superior security.


 Reply | Quote
Comment on this Article


Guest Posts Visible. Hide Them.
Back to top  Page 1 of 1    

You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated February 12th

Sat, 4:11 PM
MacOS KenDensed - MacOS KenDensed: iPad 3 Frenzy, Big-time Apple & Steve Jobs, G-Man
Fri, 8:10 PM
News - Apple Sues Motorola Mobility in California Over German Case
7:54 PM
Free on iTunes - OnLive Desktop: Windows & Office on Your iPad
7:43 PM
Product News - Apple Rolls Out MacBook Air Configurations for Education
6:35 PM
Just a Peek - Battle Pocket Bulge With The Hint for iPhone
6:01 PM
Rumor - Apple Reportedly Bringing MacBook Air Styling to Pro Line
4:50 PM
Particle Debris - The Hidden Gotchas of Browser Security
3:56 PM
Apple Stock Watch - Analyst: Paying a Dividend Makes Sense for Apple
2:58 PM
Deal Brothers - iMac 27-inch 2.93GHz Intel Quad-Core i7 processor:  $1,999
2:45 PM
In-Depth Review - Theodolite App for iOS is Breathtaking
12:52 PM
Apple Stock Watch - Mizuho Securities Starts Apple Coverage with $635 Target
11:35 AM
Hot Forum Topic - Forum Poll: Are You Planning on Buying a New iPad?

The Mac Observer Reader Specials

  • TypeStyler 11 is now in the Mac App Store!! -- Special Introductory Price of $59.95!! -- To Buy From The Mac App Store Click Here Now!! Or buy direct from Strider Software.
  • Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
  • Poker Mac If you're using a Mac, then you've gotta check out Online Poker Mac. This mac poker and online casino mac site actually does the unthinkable, it actually rewards!
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!