Home / mailings APPLE-SA-2008-07-10 Apple TV 2.1
Posted on 10 July 2008
Apple Security-announce-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2008-07-10 Apple TV 2.1
Apple TV 2.1 is now available and addresses the following issues:
Apple TV
CVE-ID: CVE-2008-1015
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in the handling of data reference atoms may
result in a buffer overflow. Viewing a maliciously crafted movie file
may lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue by performing additional
validation of data reference atoms. Credit to Chris Ries of Carnegie
Mellon University Computing Services for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1017
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in the parsing of 'crgn' atoms may result in a
heap buffer overflow. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to Sanbin Li working with TippingPoint's Zero Day
Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1018
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An issue in the parsing of 'chan' atoms may result in a
heap buffer overflow. Viewing a maliciously crafted movie file may
lead to an unexpected application termination or arbitrary code
execution. This update addresses the issue through improved bounds
checking. Credit to an anonymous researcher working with
TippingPoint's Zero Day Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1585
Available for: Apple TV
Impact: Playing maliciously crafted QuickTime content may lead to
arbitrary code execution
Description: A URL handling issue exists in the handling of file:
URLs. This may allow arbitrary applications and files to be launched
when a user plays maliciously crafted QuickTime content. This update
addresses the issue by not longer launching local applications and
files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert
Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with
TippingPoint's Zero Day Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-0234
Available for: Apple TV
Impact: Playing maliciously crafted QuickTime content may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the handling of HTTP
responses when RTSP tunneling is enabled. Playing maliciously crafted
QuickTime content may lead to an unexpected application termination
or arbitrary code execution. This update addresses the issue through
improved bounds checking.
Apple TV
CVE-ID: CVE-2008-0036
Available for: Apple TV
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow may occur while processing a
compressed PICT image. Opening a maliciously crafted compressed PICT
file may lead to an unexpected application termination or arbitrary
code execution. This update addresses the issue by terminating
decoding when the result would extend beyond the end of the
destination buffer. Credit to Chris Ries of Carnegie Mellon
University Computing Services for reporting this issue.
Installation note:
The Apple TV device will automatically check Apple's update server on
its weekly schedule. When an update is detected, it will download
it, verify its signature, and install it.
This process may take up to a week depending on the day that the
Apple TV device checks for updates. Alternatively, you may manually
update your Apple TV using the TV interface by selecting
Settings > Update Software.
This update is only available directly to the Apple TV, and will not
appear in your computer's Software Update application, or in the
Apple Downloads site.
To check that the Apple TV has been updated, use the TV interface:
* Navigate to Settings
* Select About
* The Software Version after applying this update will be "2.1"
* To exit the About screen to the main menu, press Menu
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/