iCal Features Three Serious Vulnerabilities
Mac users better be careful when using the Mac OS X's calendaring app: 3 bugs have been discovered recently and their successful exploitation would lead to seriously unpleasant results.
May 22, 2008
The first and most important flaw is related to memory corruption. The report says that it can be triggered if a specially-crafted .ics file is executed The exploit is aimed at a resource liberation bug and it would allow the attacker to execute arbitrary code on the machine.
The other two vulnerabilities also rely on the execution of a malformed .ics file. The file takes advantage of a null-pointer dereference bug in the software and the result would be that iCal would repeatedly crash.
Still, there is some good news about these two flaws:
“The ability to inject and execute arbitrary code on vulnerable systems using these two vulnerabilities was researched but not proven possible.”
The flaws affect iCal 3.0.1 running on Mac OS X 10.5.1. Upgraded version were reported to be immune.