Apple iCal Calendar bypass authorization
| ical-calendar-authorization-bypass (18209) |  Medium Risk |
Description:
iCal could allow a remote attacker, with rights to add a calendar, to bypass authorization and add alarm actions to a calendar. iCal calendar alarms can be used to execute applications and send messages via email.
Platforms Affected:
- Brown Bear Software, iCal prior to 1.5.4
Remedy:
Upgrade to the latest version of iCal (1.5.4 or later), available from the iCal Web site. See references.
For Mac OS:
Apply Security Update 2004-12-02, as listed in AppleCare Knowledge Base Document 61798. See References.
Consequences:
Bypass Security
References:
- Apple Security Updates 2004-11-22 61798, Apple Security Updates at http://docs.info.apple.com/article.html?artnum=61798.
- AppleCare Knowledge Base Document 61798, Security Update 2004-12-02 at http://docs.info.apple.com/article.html?artnum=61798.
- iCal Web site, iCal at http://www.apple.com/ical/.
- BID-11728: Apple iCal Calendar Import Alarm Notification Failure Vulnerability
- CVE-2004-1021: iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms.
Reported:
Nov 22, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net