Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws
Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws
by , 9:15 AM EDT, May 22nd, 2008
After attempting to work with Apple for several months on what it claims are serious security flaws in iCal, security firm Core Security Technologies (CST) published the flaws late on Wednesday. The company published notice of the bugs, along with sample proof-of-concept code, and a log of contacts between Apple that debate the severity of the flaws and threaten publication unless Apple commits to a date for fixing the flaws.
According to CST, the flaws, "discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application."
The company also said that exploiting the vulnerabilities is possible via a client-side attack with user assistance, which means getting the victim to click on a specially crafted .ics file. Worse, it would also be possible to exploit the flaw if someone has the ability to modify or add a calendar file on a CalDAV server to which the victim was subscribed.
According to the log of contacts with Apple CST published, the firm first notified Apple of the flaws January 20th, 2008. Over the following months, the two companies exchanged contacts that acknowledged the flaws and debated their severity. CST maintained throughout the exchanges that they were serious flaws, but delayed publishing them as Apple asked for additional time.
Apple eventually told CST that it would release a security fix on May 19th, 2008, and Core set May 21st as the final date for publishing the flaws. As the 19th came and went without that update, CST followed through and published the information on its own Web site.
There has traditionally been some friction between security firms and operating system vendors, usually Microsoft or Apple. The former tend to want patches released ASAP and the publicity of having found the flaws, while the OS vendors want to be able to take as long as they feel they need to dealing with the problem without having to worry about the pressure of having the flaw known.
This has occasionally led to actions such as those of CST, where the security firm or white hat hacker releases the information after tiring of awaiting action from the vendors.
Observer Comments
Thu May 22, 2008 3:34 pm Subject: Tiring of waiting?
I'm confused here.
Whose computer is jeopardized when CST puts even a proof-of-concept security exploit in the wild? Oh, right. It's MINE. And YOURS.
CST isn't simply saying, "If Apple doesn't tell everyone about this security flaw and fix it, we will." They're actually saying, "If Apple doesn't tell everyone about this security flaw and fix it, we'll show everyone how to exploit it."
If this is actually the practice of *all* security companies, perhaps their should be a DoJ investigation here. Being lax (a la Microsoft and, apparently, Apple) on security breaches is not nearly on the same level as being accomplice to taking advantage of it.
I don't mind that CST found the flaw. I'm kind of glad they did. But they're not holding on to just an arbitrary, abstract piece of information. They've got a weapon here, and they're not just telling the best and worst of us that they've got it--they're telling the best and worst of us how we can get one, too. This is not the same as saying, "There's a guy in Santa Barbara with the Ebola virus, and if Apple doesn't tell everyone, we will." It's more like, "There's a guy in Santa Barbara with the Ebola virus, and if Apple doesn't tell everyone, we're going to take this guy to every major city in the U.S. until they do."
I think the argument that Apple isn't moving "fast enough" for crackpot CoreSecurity is a completely moot point. The fact is, it is not in CoreSecurity's rights to hold ***my*** computer's security hostage with this information just so they can get some publicity.
Perhaps they can make a PRIVATE, SECURE filing with some government agency that they've found the security hole, and could demand a certain amount of $$$ from Apple for finding it. But it is ***NOT*** their prerogative to open up iCal users to any security flaw, whatever its size, just because Apple doesn't jump when they say to.
As an iCal user, do I have the right to sue CST as an accomplice to any future iCal-borne attack because my computer has been made vulnerable, since they've proliferated the exploit? They're AT LEAST as responsible as Apple.
I read the history on CST's web site about their exchange with Apple. It appears that Apple has been quite forthcoming and responsive to CST. All I see is that CST believes a "null-pointer" bug is a "security flaw" whereas Apple doesn't. So that's the crux of it. Everything is now a security flaw.
Two of the issues quoted will crash iCal, and the third leads to memory corruption, which "might" allow an attacker to execute arbitrary code.
BUT... in order to do it, the user must import the ical entry, open it up for editing and change the alarm setting on the item! Even if someone puts it onto a server, you must still manually edit the alarm. (http://db.tidbits.com/article/9624).
So...until a patch is issued, if someone sends you an invitation, just don't edit the alarm, and you will be fine.
the software update is out now and there are no indications that neither of the bugs have been exploited. Apparently all those arguing that CST was putting people at risk by letting them know fo the problem and the way to avoid attacks were simply wrong and barking at the wrong tree. The disclosure talked about 3 bugs: one that let attackers take control of computer that is vulnerable the other two let attackers crash somebody else's iCal application. the first one is fixed the other two are not.
The lack of authentication for published iCal calendars is what I think is the REAL security issue.
If I know someone's .Mac username, there is a very good chance that I can subscribe to their home.ics calendar file from ANY Mac or PC (Outlook 2k7) without being prompted for authentication! I do a lot of calendar publishing/subscribing between two copies of Outlook and of course iCal, and using icalx and calgoo I am able to make it so that calendars published to those services require authentication to subscribe to them, but NOT CALENDARS PUBLISHED FROM ICAL! They are free for all to see.
Pathetic.
It's stuff like this and the default configuration of mail.app to not encrypt login/password info even on Apple's own .mac service (using mail.app) that makes me cringe every time Apple touts superior security.
Comments are currently closed. Please email the author instead.
Recent Headlines - Updated November 8th
- Sat, 7:58 PM
- News - Apple TV 3.0.1 Update Fixes Missing Content Bug
- Fri, 7:45 PM
- Rumor - Taiwan Leak Shows Verizon UTMS/CDMA iPhone for Q3 2010
- 6:40 PM
- News - iPhone Moves Into RadioShack
- 6:30 PM
- News - Apple to Open Stunning Paris Apple Store in Le Louvre on Saturday
- 5:43 PM
- Free on iTunes - Dictionary, Dictionary, Dictionary, And More
- 4:09 PM
- John Martellaro's Blog - Particle Debris (week ending 11/6) Failure IS an Option
- 3:32 PM
- Games - The Latest App Store Games: Gravity Sling, RocketBird, Ground Effect, Checkers!
- 2:25 PM
- Games - Star Soccer 2010 for Mac Puts Gamers in Role of Up-and-Coming Player
- 2:15 PM
- How-To - The Mysteries of Rosetta Housekeeping
- 1:33 PM
- News - iPhone Game Developer Sued for Collecting User’s Cell Numbers
- 1:17 PM
- Games - Warhammer Online Expands Trial Play Option
- 11:19 AM
- Rumor - Apple May Be Bringing RFID to the iPhone
The Mac Observer Reader Specials
- TypeStyler For Mac OS X is Now Shipping! Download The Free Fully Functional 60 Day Tryout at www.typestyler.com
RamJet Memory: Mac Pro 8-core 8GB Kit $199.99, 4GB Kits $109.99! Sale on MacBook and MacBook Pro 8GB kits $549.99! New MacBook DDR3 2GB for $49.99. iMac and Mac mini 4GB Kits for $79.99! 1TB SATA Hard Drives for $109.99! Click here
OWC: Plug & Play Hardware RAID up to 8.0TB. High Performance, Data Redundant Solutions. FireWire 800, FireWire 400, USB2, or eSATA. Hot Swappable Bays, Data Rates over 200MB/s. Click here
If you're using a Mac, then you've gotta check out Full Tilt Poker for Mac. This Full Tilt Poker bonus code does the unthinkable, it actually rewards!For the latest Apple products use Ciao, a price comparison website, to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate mobile phones like the Apple iPhone.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
