The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws

Security Firm Tires of Waiting for Apple Fix, Publishes iCal Security Flaws

by , 9:15 AM EDT, May 22nd, 2008

After attempting to work with Apple for several months on what it claims are serious security flaws in iCal, security firm Core Security Technologies (CST) published the flaws late on Wednesday. The company published notice of the bugs, along with sample proof-of-concept code, and a log of contacts between Apple that debate the severity of the flaws and threaten publication unless Apple commits to a date for fixing the flaws.

According to CST, the flaws, "discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application."

The company also said that exploiting the vulnerabilities is possible via a client-side attack with user assistance, which means getting the victim to click on a specially crafted .ics file. Worse, it would also be possible to exploit the flaw if someone has the ability to modify or add a calendar file on a CalDAV server to which the victim was subscribed.

According to the log of contacts with Apple CST published, the firm first notified Apple of the flaws January 20th, 2008. Over the following months, the two companies exchanged contacts that acknowledged the flaws and debated their severity. CST maintained throughout the exchanges that they were serious flaws, but delayed publishing them as Apple asked for additional time.

Apple eventually told CST that it would release a security fix on May 19th, 2008, and Core set May 21st as the final date for publishing the flaws. As the 19th came and went without that update, CST followed through and published the information on its own Web site.

There has traditionally been some friction between security firms and operating system vendors, usually Microsoft or Apple. The former tend to want patches released ASAP and the publicity of having found the flaws, while the OS vendors want to be able to take as long as they feel they need to dealing with the problem without having to worry about the pressure of having the flaw known.

This has occasionally led to actions such as those of CST, where the security firm or white hat hacker releases the information after tiring of awaiting action from the vendors.

Recent TMO Headlines - Updated September 25th

Sun, 12:22 PM
The Truth is in The Cloud – Mac Geek Gab 676
Fri, 7:02 PM
The Intriguing Design of The Steve Jobs Theater Explained
Fri, 5:45 PM
Anki OVERDRIVE Adds Fast & Furious Edition
Fri, 5:15 PM
iVAPO Folio Case for the 10.5-inch iPad Pro is a Delight: A Review
Fri, 5:05 PM
Terminal Tinkering: Say Hello to TMO's New Podcast for Tech Enthusiasts
Fri, 4:25 PM
Apple Posted Apple Pay How To Videos on YouTube
Fri, 3:43 PM
Movie Rentals in iTunes Have Changed for the Better
Fri, 3:00 PM
The Royal iPod Has Been Spotted For The First Time
Fri, 2:29 PM
Thanks to Misuse, Apps Can't View MAC Addresses on iOS 11
Fri, 1:28 PM
Go Behind the Scenes with Apple's iPhone Pre-order War Room
Fri, 1:20 PM
Setting Up Your New iPhone and Apple Watch, Terminal Tinkering Debut - TMO Daily Observations 2017-09-22
Fri, 11:46 AM
Blips Smartphone Lens Kits: $24.99
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!