Intology - Intelligent Technology News
Computers Technology Internet Arts Business Science Sports

According to researchers at Core Security, the bugs discovered by them in the calendar application iCal in January are still not patched even though they promptly informed Apple about it.

The firm found three security flaws which may seriously jeopardize the user system if exploited.

iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system.

Core Security who waited for over four months for Apple to fix these issues said:

Three vulnerabilities in iCal may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) assistance from the end user. They could also repeatedly execute a denial of service attack to crash the iCal application.

The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker.

The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed .ics files.

Apple originally promised to publish fixes by March, then by April. But, after repeated delays and denials that there was a problem, Core Security went public with the information so that users could protect their information.

These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).