Welcome | Sign In
ECommerceTimes.com
Exploits & Vulnerabilities

Security Firm to Apple: Ready or Not, Here's That Exploit

Print Version
E-Mail Article
Reprints
Security Firm to Apple: Ready or Not, Here's That Exploit

By Chris Maxcer
MacNewsWorld
Part of the ECT News Network
05/22/08 3:31 PM PT

After apparently working with Apple for months to develop a patch for iCal vulnerabilities it found, Core Security has gone ahead and published the exploits on the Web. Going public with a flaw can alert users to mind their behavior -- as well as light a fire under the vendor to come up with a fast fix.


Listen to Your Customers, Grow Your Bottom Line.
Learn how loyal customers can be your best advocates for evangelizing your products and brand, while helping you to dramatically gain new business. Download "Customer Experience Management: Engaging Loyal Customers to Evangelize Your Brand."

Core Security has published three Mac OS X iCal-based vulnerabilities -- two that can crash the iCal program and one that could conceivably allow a hacker to take control of another person's computer.

The newly publicized exploits have gained attention recently in part because of the way in which they've been presented. Core Security, perhaps attempting to spur Apple (Nasdaq: AAPL) into action, posted the flaws on the Web for all to see after attempting to work with Apple for several months to work out a patch.

The severity of the flaws is somewhat debatable, yet they certainly exist.

iCal, the personal calendaring application integrated with Mac OS X, uses the iCalendar standard for its calendar file format, which uses the .ics extension as well as the CalDAV protocol for calendar sharing. Because there are a growing number of Web sites that provide calendar files and subscriptions to calendar updates, iCal-using Mac owners may be increasingly exposed to possible exploits, though Core Security reports that there are no known exploits in the wild at this time.

Click here for LiveOps

The Problems

"There are three vulnerabilities that we published; two are crasher-only bugs, and that means anyone who exploits them will crash iCal, but not run code on your computer," Ivan Arce, CTO of Core Security Technologies, told MacNewsWorld.

"Those two have low severity, but the third one can be used to compromise the computer with all the rights of the user running the application. For that to happen, the most likely scenario is the user opening up an e-mail or a calendar file that is malicious and has been specially crafted," he explained. If the user then edits the file, the Mac would be compromised.

"It requires some form of assistance," Arce added.

On a Scale of One to 10?

Rich Mogull, an independent security researcher consultant at Securosis.com, ranks the overall security risk of the vulnerabilities on the low end of the scale.

If 10 represents the highest risk, "in this case, two or three, maybe lower," he told MacNewsWorld.

The key reasons are that the first two exploits are more annoying -- crashing iCal -- than really damaging. The third, while possibly devastating, requires an end user to import the malicious iCal entry and then attempt to edit it.

With a little social engineering, a malicious hacker might be able to trick the user into editing the iCal file, but hopefully the end user would be importing and modifying calendar items only from trusted sources, and fishy entries would get deleted or never imported at all.

Either way, the Core Security advisory has proof-of-concept code that illustrates the risk.

Butting Heads With Apple?

Security companies will often notify an application or hardware vendor of vulnerabilities before publishing them. Usually, the vulnerability is disclosed, the company issues a patch, and the security company publishes the vulnerability data. Sometimes the process breaks down, usually when the company -- Apple in this case -- doesn't have time to get the fix completed, isn't able to get a fix made, or simply disagrees on the severity of the problem.

Occasionally, security companies publish quickly as a method for gaining attention and prompting vendors to get the problem fixed.

Core Security first reported the iCal issues to Apple in January, as well as a forth wiki-related problem, which was promptly fixed by Apple. Core Security, as part of the advisory, published a timeline of the correspondence between it and Apple over when the iCal flaws would be patched, with Apple reportedly asking for additional time on several occasions.

On the last exchange with Apple, Core Security said that Apple said it would provide a fix May 19. When that date came and went, Core Security had a decision to make.

"We thought, since day one, that we needed to balance the need for generating a fix with the need for warning users to be aware of the problem and their exposure and being able to do something about it," Arce said, noting that after several months, based on the company's process for working with vendors, it was time to report the vulnerabilities publicly.

Latest Versions of iCal and OS X Affected

Core Security first reported that Mac OS X 10.5.1 and iCal 3.0.1 were vulnerable, with no mention of 10.5.2 and 3.0.2, which are the latest releases from Apple. Those versions, too, are affected by the vulnerabilities, Arce told MacNewsWorld.

For right now, users should not import untrusted iCal events or edit events that may be suspect until a fix is delivered by Apple.

Print Version E-Mail Article Reprints More by Chris Maxcer

Talkback: Be the first to comment on this story.

More by Chris Maxcer

The iPad's Cruel Teaser
March 09, 2010
The iPad ad that debuted on Sunday was remarkable in how many functions it managed to cram into just 30 seconds. Document creation, email, e-books, media viewing -- all that and more was demoed using just two hands and a hip soundtrack. However, the ad left quite a few important questions about the iPad unanswered. 		The iPad Catalyst Will Light a Lot of Fires
March 02, 2010
I think we're going to get a lot of fantastic content options for mobile devices in 2010, even if you don't pony up for an iPad. While the iPad will likely be a raging success, it'll also help generate a market for alternatives. The question is, can we credit -- or blame -- the iPad for generating all this mobile action? Maybe not the iPad alone, but it's certainly the latest catalyst. 		With Smut Ban, App Store Exposes a Jiggly Set of Rules
February 23, 2010
Apple's stance on risque iPhone and iPod touch apps is understandable, but the whole incident does underscore the App Store's frustratingly fickle nature. Apple should either draw up a precise, crystal-clear set of guidelines for app developers or just admit it's completely subjective -- "If we like it, it's in; if we don't, it's rejected." Right now, its policy seems to be somewhere in between.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Free eBook: Secure Your Datacenter
Click here to download today.
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> Online Retail Transaction Performance Indices
> Inside E-Commerce Times
E-Commerce Times
TechNewsWorld
CRM Buyer
LinuxInsider
MacNewsWorld
Today's E-Commerce Times Sponsors
Secure Your Datacenter
Mitigate risk and maximize the benefits of virtualization. Get the free eBook today.
How will the Avaya Roadmap affect you?
Webinar: Ovum’s Ian Jacobs and Aspect CTO Gary Barnett on implications for the contact center.
White Paper
Learn How to Drive Revenue and Maximize ROI Communicating Your Message at the Cinema.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2010 ECT News Network, Inc. All Rights Reserved.