Earlier this year a company called Core Security reported it had found critical vulnerabilities in Apple’s iCal calendar program that can be remotely exploited to crash the application or execute arbitrary code. Now, after several months of Apple wavering over whether the flaws were serious enough to warrant patches, the security vendor has decided to detail the three bugs hoping that it would prompt Apple to take action more rapidly.
According to an advisory from Core Security, the most serious of the bugs is the result of a memory corruption vulnerability that can be triggered if a user runs a malicious .ics file, while the other two are null-pointer errors caused when parsing malformed .ics files. The vulnerabilities affect iCal version 3.0.1 running on Mac OS X 10.5.1. As of this writing, no official patch has been released from Apple so until then users are strongly advised to only open .ics files from a known, verified source.