SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Calendar)  >   iCal Vendors:   Apple
Apple iCal Calendar Import May Let Remote Users Add Unauthorized Alarm Actions
SecurityTracker Alert ID:  1012296
SecurityTracker URL:  http://securitytracker.com/id/1012296
CVE Reference:   CVE-2004-1021   (Links to External Site)
Date:  Nov 22 2004
Impact:   Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.5.4
Description:   A vulnerability was reported in Apple's iCal calendar software. A remote user can create a calendar that, when imported, will add alarm actions without authorization.

The iCal calendar alarms can execute applications and send e-mail messages.

The vendor credits aaron@vtty.com with reporting this flaw.

Impact:   A remote user (with authority to add an iCal calendar) can add alarms without approval.
Solution:   The vendor has issued a fixed version (1.5.4), available at from the Software Update pane in System Preferences, or via Apple's iCal web site:

http://www.apple.com/ical/download/

The download file is named: "iCal154.dmg"
Its SHA-1 digest is: 0bcb7c569bd3410f001c922afc337019203c19de

Vendor URL:  www.apple.com/support/security/security_updates.html (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.2.3 and later

Message History:   None.


 Source Message Contents

Subject:  APPLE-SA-2004-11-22 iCal 1.5.4


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2004-11-22 iCal 1.5.4

iCal 1.5.4 is now available and delivers the following security
enhancement:

CVE-ID:  CAN-2004-1021

Availability:  iCal 1.5.4 is available for Mac OS X v10.2.3 or later

Impact:  New iCal calendars may add alarms without approval

Description:  iCal calendars may include notification of events via
alarms.  These alarms may open programs and send e-mail.  iCal has
been updated to show an alert window when importing or opening
calendars containing alarms.  Credit to aaron@vtty.com for reporting
this issue.

iCal 1.5.4 may be obtained from the Software Update pane in System
Preferences, or Apple's iCal web site:
http://www.apple.com/ical/download/

The download file is named: "iCal154.dmg"
Its SHA-1 digest is:  0bcb7c569bd3410f001c922afc337019203c19de

Information will also be posted to the Apple Product Security
web site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBQaJdy5yw5owIz4TQAQLT4wf8Cjbdlsyu8WG1tvipjnZW4Is8M6+b4AUZ
5eu/Bzs27R/MUtBV/K9fi3peiZe412aDtw8Z54EEN+SY5jQMftIdQJW96WEnVrde
R3DkbJKrwzrJYf6ctXdc4WzO/RuCg1P3LbkTrCWmrR+zhrto3jfmlC9DRktMEj9F
EatUvPFgi8pnGaBUjm9eGEjHHLZWNq1iMb9gOdIBhkLjS8nFZlNMa67S4+aPsnkA
Cgsk61bddRWoWm1fNpn2k3WKYLhYCpYc7eGIUYzRVdJjxfQJe4fWpSTmxTCpCAHv
HT+NYa96Zf8xBvNlVfrfQC/c1DgRxA/YGs038Mc/nP9xF6ULdH2K7g==
=mx+1
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/***

This email sent to ***

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC