Apple iCal fix MIA: you're SOL

Did you miss me? It's IT Blogwatch: in which Apple's iCal calendar app still has vulnerabilities after four months. Not to mention more Error'd...

Gregg Keizer reports:

Critical vulnerabilities remain in Apple Inc.'s iCal calendar program, a security company said Wednesday in an advisory that showed months of back-and-forth between Apple and the researchers over whether bugs were serious enough to warrant patches, and if so, when Apple would patch them. After several delays requested by Apple, the security vendor put its foot down and told the company's security team it would release information about the vulnerabilities May 21, whether Apple had issued patches or not ... Core Security Technologies detailed three bugs in iCal that attackers could remotely exploit using compromised servers, malicious Web sites or e-mailed .ics file attachments. more

Core's Rodrigo Carvalho and Ricardo Narvaja elaborate:

Three vulnerabilities discovered in the iCal application may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicious .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format. more

Chris Foresman is scared:

While two of the vulnerabilities lead to a crash caused by null pointer dereferencing (merely annoying), a third vulnerability causes memory corruption, which could lead to malicious code execution (kinda scary) ... Apple has been notified of these issues and is working on a fix. The fix was expected May 19, but so far, Apple has not released anything via Software Update. In the meantime, avoid clicking .ics files—or anything, for that matter—in suspect e-mails, and hope the script kiddies don't get ahold of your subscribed calendars. more

But Derik DeLong debunks:

If you don’t use a network calendar server or regularly import ICS files, you’re safe. There’s nothing to worry about. However, if you do, you need to be careful that the source of your calendar data isn’t likely to be compromised. Don’t open random ICS files. Make sure only trusted people can alter the online calendar you’re subscribed to. Hopefully these will be fixed soon. more

Bryan Chaffin observes the timeline:

According to the log of contacts with Apple CST published, the firm first notified Apple of the flaws January 20th, 2008. Over the following months, the two companies exchanged contacts that acknowledged the flaws and debated their severity. CST maintained throughout the exchanges that they were serious flaws, but delayed publishing them as Apple asked for additional time. Apple eventually told CST that it would release a security fix on May 19th, 2008, and Core set May 21st as the final date for publishing the flaws. As the 19th came and went without that update, CST followed through and published the information on its own Web site. more

Rich Mogull digs deeper:

This brings up a complex ethical issue about disclosure of security vulnerabilities. By releasing detailed information before Apple patched the flaws, Core places all Mac users at risk. On the other hand ... Core worked with Apple to coordinate the release with the patch until communications seemed to break down at the last minute. My personal opinion is that researchers should only release vulnerability details either after a patch is released, or if there is clear evidence the bad guys already know about the vulnerability and are exploiting it in the wild. However, some researchers disagree with my opinion and feel they should also release details if a vendor is unresponsive or doesn't patch within a reasonable time period. I used to share this opinion, but over time I've come to believe that the stakes have changed in the last 5 to 10 years. more

And finally...

• Error'd: light travels slow around these parts; skinny is the new fat; the return of Y2K; etc.
  

Buffer overflow:

• Groklaw: Microsoft Supporting ODF? -- Close, But No Cigar
• Stacey Higginbotham: PeoplePad Keeping Mum on Semantic Plans
• Dan Goodin: After Debian's epic SSL blunder, a world of hurt for security pros
• High Scalability: Cloud Programming Directly Feeds Cost Allocation Back into Software Design
• Information Aesthetics: MotoGP statistics viewer
• Greg Sandoval: FAQ: What Microsoft's block of 'American Gladiators' teaches us
• Technology Bites: Google Sites now open to everyone

Other Computerworld bloggers:

• Angela Gunn: Ivan Krstic sticks a fork in the OLPC project
• Lucas Mearian: Celerra Man
• SJVN: Is Microsoft Office in trouble?
• Robert L. Mitchell: Fuel prices put big rig tech to the test
• Preston Gralla: Anti-malware group: Apple refuses to fix big Safari security hole
• Mike Elgan: New TSA laptop bag policy won't improve anything
• Mark Hall: SugarCRM widens SaaS market for CRM tools
• Shark Tank: Step by step
• Shark Bait: Good idea, bad implementation

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 21 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• Microsoft opens itself to ODF and PDF and XPS and even OASIS
• Movie watching with Netflix Roku player
• Google Health is alive and well