Apple released a security update on Thursday for its Apple TV. Version 2.1 includes six patches that address buffer overflow and arbitrary code execution vulnerabilities.
Apple TV 2.1 can be automatically downloaded when the update is detected by the Apple TV device. The patches may take up to one week to be detected, depending on the day a device checks. A manual update can be accomplished by using the TV interface and selecting Settings > Update Software. This update will not appear in your computer's Software Update application or in the Apple Downloads site.
Here's an overview of the six patches, which affect only users of Apple TV:
- The update addresses a buffer overflow vulnerability described in CVE-2008-1015. According to Apple, "an issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution". Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-1017. Apple says "an issue in the parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution". Apple credits Sanbin Li, working with TippingPoint's Zero Day Initiative, for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-1018. Apple says "viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution". This update addresses the issue through improved handling of format strings.
- The update addresses an arbitrary code execution vulnerability described in CVE-2008-2314. Apple says "a URL-handling issue exists in the handling of 'file:' URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files". Apple credits Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (aka pdp) Petkov of GNUCitizen working with TippingPoint's Zero Day Initiative, for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-0234. Apple says "a heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution".
- The update addresses a buffer overflow vulnerability described in CVE-2008-0036. Apple says "a buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer". Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
This article was first published as a blog on CNET News.com.
Play video
» Ultimate virtualization blade
Apple TV gets a security update
now a daya the tv can gets security update in feature it have to secure the channel serial.update addresses a buffer overflow vulnerability described in CVE-2008-1018. Apple says "viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution".update addresses a buffer overflow vulnerability described in CVE-2008-0036. Apple says "a buffer overflow may occur while processing a compressed PICT image. manoj Ad Post
Posted by Manoj on Friday, July 11 2008 05:08 PM