Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws

News

Bryan Chaffin

3:00 PM, May. 21st ET, 2008

Articles by Author Bryan Chaffin on Twitter Contact Author Bio

Comments (0)

After attempting to work with Apple for several months on what it claims are serious security flaws in iCal, security firm Core Security Technologies (CST) published the flaws late on Wednesday. The company published notice of the bugs, along with sample proof-of-concept code, and a log of contacts between Apple that debate the severity of the flaws and threaten publication unless Apple commits to a date for fixing the flaws.

According to CST, the flaws, "discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application."

The company also said that exploiting the vulnerabilities is possible via a client-side attack with user assistance, which means getting the victim to click on a specially crafted .ics file. Worse, it would also be possible to exploit the flaw if someone has the ability to modify or add a calendar file on a CalDAV server to which the victim was subscribed.

According to the log of contacts with Apple CST published, the firm first notified Apple of the flaws January 20th, 2008. Over the following months, the two companies exchanged contacts that acknowledged the flaws and debated their severity. CST maintained throughout the exchanges that they were serious flaws, but delayed publishing them as Apple asked for additional time.

Apple eventually told CST that it would release a security fix on May 19th, 2008, and Core set May 21st as the final date for publishing the flaws. As the 19th came and went without that update, CST followed through and published the information on its own Web site.

There has traditionally been some friction between security firms and operating system vendors, usually Microsoft or Apple. The former tend to want patches released ASAP and the publicity of having found the flaws, while the OS vendors want to be able to take as long as they feel they need to dealing with the problem without having to worry about the pressure of having the flaw known.

This has occasionally led to actions such as those of CST, where the security firm or white hat hacker releases the information after tiring of awaiting action from the vendors.

Post A Comment or Log-in. Need an account? Register here.

Recent Headlines - Updated May 26th

Sat, 10:00 AM: MacOS KenDensed - MacOS KenDensed: Apple’s Patent Lawsuit & Antitrust Shuffle
Fri, 5:58 PM: News - Sotheby’s to Auction Steve Jobs Atari Memo (Photo Gallery)
5:42 PM: Free on iTunes - 3 Free iOS Apps for News Hounds
3:00 PM: Rumor - Nest Thermostat Reportedly Coming to Apple Retail Stores
2:40 PM: Particle Debris - The TV Industry’s Dreadful Little Secret
2:33 PM: News - Mobile Devices Account for 20% of Web Traffic in US, Canada
12:49 PM: News - Apple Now Offering “Free App of the Week” for iOS
12:21 PM: News - Tim Cook Declines $75 Million Dividend Payout
11:25 AM: News - Absinthe 2.0 Provides Untethered Jailbreak for iOS 5.1.1
11:09 AM: Quick Look Review - F18 Carrier Landing (iOS) is a Boatload of Fun
10:51 AM: TMO Appearances - Jeff Gamet talks Cool Apps & Accessories on Not Another Mac Podcast
10:12 AM: Hot Forum Topic - Forum Poll: Which is Your Favorite Photo Sharing Service?

The Mac Observer Reader Specials

Macsales Add 2nd Hard Drive or SSD to Mac mini, MacBook or MacBook Pro. 1TB of Hard Drive or SSD Capacity from $64.99! Video Guides Make it easy - OWC DataDoubler - Macsales.com
Mac RAM Upgrades: MacBook Pro 16GB kits $475, 8GB Kits for $119.99! iMac 16GB RAM Kits (4x 4GB) for $229.99! Mac Pro Memory 32GB Kit for $399.99, 64GB Kit for $889.99! Mac Hard Drives 2TB Seagate SATA II for $249.99! Click Here!
If you're using a Mac, then you've gotta check out PokerOnAMac.com. Online casinos and poker rooms are literally giving away cash and the casino sites at Poker on a Mac do the unthinkable, they actually reward! Join today, the download is free!
Looking to find online casinos for mac? We can help you find the best real money casino sites where you can play your favorite casino games including blackjack and slots.

Buy Stuff, Support TMO via Apple or Amazon
Deals from DealBrothers.com
Reader Specials
Read TMO on Kindle
TMO on Twitter and FaceBook:

Apple Stock Quote (AAPL)

Last trade: $---.-- $---.--
Market cap: $---.--
Discuss in our Apple Finance Board

Quotes are delayed. Currency in USD

Hot Topics

What's the buzz? These articles have TMO readers talking.

Samsung: Apple’s Trial Experts Are “Slavish” Fanboys - 19 Comments
Forrester: Maybe Apple’s TV Isn’t a TV - 9 Comments
The TV Industry’s Dreadful Little Secret - 8 Comments
Analyst: Apple to Offer iPhone 3GS as Pre-Paid Option - 8 Comments
Jonathan Ive Calls Apple’s Current Project the “Most Important” - 7 Comments
Estimated Apple TV Sales to Date: 6.3 Million - 7 Comments

TMO Express

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday. Find out more!

Top Deals From DealBrothers.com

Recent Features

Get the latest installments of TMO Columns, Podcasts, & Blogs.

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.