The most serious of the vulnerabilities stems from "potential memory corruption" from a bug that attackers can take advantage of with a specially crafted malformed .ics calendar file, Core said.

The other two vulnerabilities lead to crashes of iCal due to "null-pointer dereference bugs triggered while parsing a malformed .ics files," the firm said. Core researched but did not ultimately prove that it was possible to inject arbitrary code onto vulnerable systems using these methods.

Frustration with Apple

"Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file sent over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server," Core said.

The security posting includes a long log file of Core"s interactions with Apple over this security issue. Apple requested several extensions of the publication date of the report and Core evinced frustration with delays. Core first notified Apple of the flaws in January and the companies debated the severity of the flaws in a series of messages over several months. Apple said that it would release a security fix on May 19 but as that date passed without a release, Core published its report on Wednesday.

It"s not uncommon for security firms to be frustrated with vendors, said Andrews Storms, director of security operations for nCircle Network Security.

"When researchers publicly disclose their timelines and communications with vendors on security issues, rarely do we find compassion for the vendor," Storms wrote in an email. Few security firms understand the complexities of large software organizations.

Importance of Vendor Communication

"If you take a 30,000-foot view of the world of Microsoft security releases for example, so long as the immediate risk is not great, you"ll see that on average it takes six to eight months for a patch to be released," Storms said. Apple"s historical response rate "seems to be just slightly faster," he added.

"In both cases, you always end up with the outliers where bugs go unpatched for a year, and conversely in some cases seem to be patched in less than 3 months," he said.

The difference is not turnaround time but communication, Storms said. "Many researchers have said that Microsoft has done well to communicate and work in tandem with the reporters of vulnerabilities. Apple, on the other hand, has a murky history. And when it comes to public discourse of security issues, Microsoft is certainly the leader there," Storms concluded.