Core Security released details on three iCal bugs last week. What’s suspicious is that Apple hasn’t fixed them yet, despite being told in January. The bugs are relatively harmless if you have iCal configured correctly – ie. to not automatically parse invitations from Mail. Unfortunately, that’s not the default on Leopard. I’ve run into the same problem before, and I turned the “feature” off for other reasons.

There’s a bug in the ics parser that could potentially allow for remote code execution. Not good.

Any program that automatically opens up attachments from your mail reader -Mail, Outlook, Thunderbird, etc. SHOULD BE RECONFIGURED! The same goes for remote images. Any attachment should be suspect unless you know who it came from, and SPAM does not qualify as “knowing who it came from”.

This simple configuration/re-configuration can save you a lot of headaches in the long run, in addition to any known vulnerabilities floating around, you’ve closed off a vector for new ones.

This entry was posted on Tuesday, May 27th, 2008 at 5:02 pm by Laura Raderman and is filed under hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.