Apple have left gaping security holes in their iCal application, bundled with OS X, for four months.

Researchers at Core Security have released details of three vulnerabilities in Apple iCal scheduling application, after four months of talks with the company.

...

The iCal bugs comprise a single memory corruption flaw and two null-pointer vulnerabilities. The memory corruption bug creates a mechanism for attackers to inject hostile code into affected systems. The null pointer bugs might be used to crash the scheduling program.
Researchers out Apple over unpatched iCal bugs | The Register