Core Security has issued a warning on "Multiple vulnerabilities in iCal." Classified as "remotely exploitable," the vulnerabilities in iCal "may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) assistance from the end user of the application, or to repeatedly execute a denial of service attack to crash the iCal application," Core Security Technologies warns.

According to the security company, "the most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker". The other two "lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed .ics files." However, although the ability to inject and execute arbitrary code on vulnerable systems using these vulnerabilities was "researched", it hasn't been "proven possible" yet.

But, just because it hasn't been proven possible doesn't mean it isn't. The security firm draws the line at exploiting these vulnerabilities in a "client-side attack scenario". As such, it is possible to execute arbitrary code on vulnerable systems "with user assistance by opening or clicking on specially crafted .ics file send [sic] over email or hosted on a malicious web server." Even worse, Core Security claims it can be done even "without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server."

The three vulnerabilities in question were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies, during Bugweek 2007. Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT) provided additional research.

iCal users are advised to open only the .ics files they know are from a familiar, verified source, until Apple rolls out an official patch for these potentially exploitable vulnerabilities.