iCal bugs can lead to DoS and code execution attacks

Researchers with Core Security have found three vulnerabilities in Mac OS X's calendaring app that could create havoc for users.

The most serious vulnerability deals with a memory corruption issue that is triggered by a specially-crafted .ics file being executed. At the heart of it is a resource liberation bug which is triggered through the file, thus allowing code execution.

A user could lose control of his or her Mac through this bug, the firm warned. While it appears the bug needs to be exploited with some intervention from the end-user, Core said it may be exploitable without as well.

Both of the remaining flaws deal with denial of service issues, where repeated crashes prevent use of the iCal application. As with the previous bug, a specially-crafted .ics file is launched, which then takes advantage of a null-pointer dereference bug in the software.

Core could not find any evidence that this issue could also result in code execution.

"Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server," the firm said in an advisory.

The flaw was found on iCal 3.0.1 running on Mac OS X 10.5.1. Upgraded versions of the software are not affected.