July 10, 2008 10:22 AM PDT

Apple TV gets a security update

by Robert Vamosi
  • Font size
  • Print
  • 5 comments

Apple released a security update on Thursday for its Apple TV. Version 2.1 includes six patches that address buffer overflow and arbitrary code execution vulnerabilities.

Apple TV 2.1 can be automatically downloaded when the update is detected by the Apple TV device. The patches may take up to one week to be detected, depending on the day a device checks. A manual update can be accomplished by using the TV interface and selecting Settings > Update Software. This update will not appear in your computer's Software Update application or in the Apple Downloads site.

Here's an overview of the six patches, which affect only users of Apple TV:

  1. The update addresses a buffer overflow vulnerability described in CVE-2008-1015. According to Apple, "an issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
  2. The update addresses a buffer overflow vulnerability described in CVE-2008-1017. Apple says "an issue in the parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Sanbin Li, working with TippingPoint's Zero Day Initiative, for reporting this issue.
  3. The update addresses a buffer overflow vulnerability described in CVE-2008-1018. Apple says "viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." This update addresses the issue through improved handling of format strings."
  4. The update addresses an arbitrary code execution vulnerability described in CVE-2008-2314. Apple says "a URL-handling issue exists in the handling of 'file:' URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Apple credits Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (aka pdp) Petkov of GNUCitizen working with TippingPoint's Zero Day Initiative, for reporting this issue.
  5. The update addresses a buffer overflow vulnerability described in CVE-2008-0234. Apple says "a heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution."
  6. The update addresses a buffer overflow vulnerability described in CVE-2008-0036. Apple says "a buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer." Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Apple,

Apple TV,

quicktime,

buffer overflow,

arbitrary code execution

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Firefox 3.5.6 patches critical security holes
Microsoft plugs zero-day IE hole
Use QuickTime 7 for authenticated streams in Snow Leopard
Firefox, Adobe top buggiest-software list
Microsoft to fix Zune HD censoring issue
In mobile, do developers or consumers matter most?
Apple releases Java updates for OS X 10.5 and 10.6
Prime time for YouTube? Google wants to stream TV, for a fee
Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
by professionaladventurer July 10, 2008 11:51 AM PDT
Has anyone ever hacked a appletv in the wild?
Reply to this comment
by joetesta70 July 10, 2008 1:52 PM PDT
Apple TV = COMPLETE FLOP. I was suckered into buying an Apple TV and it's been an expensive wanna-be DVR, and really a paper weight. Without DVR you'll never use the thing and HD movies - yea like I want to wait 6 hours for the download. Apple, stick to overpriced laptops please.
Reply to this comment
by joetesta70 July 10, 2008 1:53 PM PDT
P.S. Buffer overflows? Security vulnerabilities? No thanks!
Reply to this comment
by igolga July 15, 2008 9:03 PM PDT
buy guild wars gold
maplestory mesos
maple story mesos
maple story
maple story
maple story mesos
maplestory mesos
maple story
maple story mesos
maplestory mesos
Reply to this comment
by bmrmagic August 1, 2008 2:52 PM PDT
wanna-be DVR, who said that? Not apple. If you wish to dump your paper weight, send it to me. Love mine. Sounds like you need wireless N or using a dial up modem. I use cable digital modem. I can start watching movies in minutes. I took my box to a friends house who had DSL but only a G wireless and it was painfully slow. Just got to know what you are doing before you leap.

If you only use it to download commercial movies you are missing out on all the fun. Home movies, Podcasts, YouTube, Photos and music. All are great.

Like I said, send me that paper weight. I will pay shipping.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement
Click Here

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET