Security Firm to Apple: Ready or Not, Here's That Exploit

Core Security has published three Mac OS X iCal-based vulnerabilities -- two that can crash the iCal program and one that could conceivably allow a hacker to take control of another person's computer.

The newly publicized exploits have gained attention recently in part because of the way in which they've been presented. Core Security, perhaps attempting to spur Apple (Nasdaq: AAPL) into action, posted the flaws on the Web for all to see after attempting to work with Apple for several months to work out a patch.

The severity of the flaws is somewhat debatable, yet they certainly exist.

iCal, the personal calendaring application integrated with Mac OS X, uses the iCalendar standard for its calendar file format, which uses the .ics extension as well as the CalDAV protocol for calendar sharing. Because there are a growing number of Web sites that provide calendar files and subscriptions to calendar updates, iCal-using Mac owners may be increasingly exposed to possible exploits, though Core Security reports that there are no known exploits in the wild at this time.

The Problems

"There are three vulnerabilities that we published; two are crasher-only bugs, and that means anyone who exploits them will crash iCal, but not run code on your computer," Ivan Arce, CTO of Core Security Technologies, told MacNewsWorld.

"Those two have low severity, but the third one can be used to compromise the computer with all the rights of the user running the application. For that to happen, the most likely scenario is the user opening up an e-mail or a calendar file that is malicious and has been specially crafted," he explained. If the user then edits the file, the Mac would be compromised.

"It requires some form of assistance," Arce added.

On a Scale of One to 10?

Rich Mogull, an independent security researcher consultant at Securosis.com, ranks the overall security risk of the vulnerabilities on the low end of the scale.

If 10 represents the highest risk, "in this case, two or three, maybe lower," he told MacNewsWorld.

The key reasons are that the first two exploits are more annoying -- crashing iCal -- than really damaging. The third, while possibly devastating, requires an end user to import the malicious iCal entry and then attempt to edit it.

With a little social engineering, a malicious hacker might be able to trick the user into editing the iCal file, but hopefully the end user would be importing and modifying calendar items only from trusted sources, and fishy entries would get deleted or never imported at all.

Either way, the Core Security advisory has proof-of-concept code that illustrates the risk.

Butting Heads With Apple?

Security companies will often notify an application or hardware vendor of vulnerabilities before publishing them. Usually, the vulnerability is disclosed, the company issues a patch, and the security company publishes the vulnerability data. Sometimes the process breaks down, usually when the company -- Apple in this case -- doesn't have time to get the fix completed, isn't able to get a fix made, or simply disagrees on the severity of the problem.

Occasionally, security companies publish quickly as a method for gaining attention and prompting vendors to get the problem fixed.

Core Security first reported the iCal issues to Apple in January, as well as a forth wiki-related problem, which was promptly fixed by Apple. Core Security, as part of the advisory, published a timeline of the correspondence between it and Apple over when the iCal flaws would be patched, with Apple reportedly asking for additional time on several occasions.

On the last exchange with Apple, Core Security said that Apple said it would provide a fix May 19. When that date came and went, Core Security had a decision to make.

"We thought, since day one, that we needed to balance the need for generating a fix with the need for warning users to be aware of the problem and their exposure and being able to do something about it," Arce said, noting that after several months, based on the company's process for working with vendors, it was time to report the vulnerabilities publicly.

Latest Versions of iCal and OS X Affected

Core Security first reported that Mac OS X 10.5.1 and iCal 3.0.1 were vulnerable, with no mention of 10.5.2 and 3.0.2, which are the latest releases from Apple. Those versions, too, are affected by the vulnerabilities, Arce told MacNewsWorld.

For right now, users should not import untrusted iCal events or edit events that may be suspect until a fix is delivered by Apple.