Apple released a security update on Thursday for its Apple TV. Version 2.1 includes six patches that address buffer overflow and arbitrary code execution vulnerabilities.
Apple TV 2.1 can be automatically downloaded when the update is detected by the Apple TV device. The patches may take up to one week to be detected, depending on the day a device checks. A manual update can be accomplished by using the TV interface and selecting Settings > Update Software. This update will not appear in your computer's Software Update application or in the Apple Downloads site.
Here's an overview of the six patches, which affect only users of Apple TV:
- The update addresses a buffer overflow vulnerability described in CVE-2008-1015. According to Apple, "an issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-1017. Apple says "an issue in the parsing of 'crgn' atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Sanbin Li, working with TippingPoint's Zero Day Initiative, for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-1018. Apple says "viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." This update addresses the issue through improved handling of format strings."
- The update addresses an arbitrary code execution vulnerability described in CVE-2008-2314. Apple says "a URL-handling issue exists in the handling of 'file:' URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Apple credits Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (aka pdp) Petkov of GNUCitizen working with TippingPoint's Zero Day Initiative, for reporting this issue.
- The update addresses a buffer overflow vulnerability described in CVE-2008-0234. Apple says "a heap buffer overflow exists in the handling of HTTP responses when RTSP tunneling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution."
- The update addresses a buffer overflow vulnerability described in CVE-2008-0036. Apple says "a buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer." Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
WASHINGTON--Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn't exploit a flaw within Linden Labs' Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.
Miller and Zovi are both experienced with flaws within Apple products. Miller published the first Apple iPhone flaw shortly after its release. At last year's CanSecWest security conference, Zovi exploited a QuickTime flaw to win a "PWN to Own" hack-a-Mac contest. While Second Life does not install QuickTime, it invites users to install the player if they want to see multimedia files within Second Life.
What Miller and Zovi realized is that while direct communication between an attacker and a victim within Second Life passes through the servers at Linden Labs, multimedia objects are actually stored somewhere else. Hence, an object with a multimedia link could inject malicious code. In this case, researchers exploited a recent flaw within RTSP tunneling.
For their demonstration, they created "the most evil pink box you will ever see." They could have linked their malicious code to attributes of an avatar's hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren't very good players within Second Life.
Within Second Life they used a property that they own to demonstrate the exploit. Linden Labs sent a representative at the conference and a robot to the virtual demonstration site. The robot held a sign saying Hello to ShmooCon attendees watching the live demo.
In the demo, the researchers were able to show that their avatar became infected when it came too near the pink box. The code they used raided the avatar's Linden dollars and emptied the bank account. On the Internet, an attacker can get one dollar for every 275 Linden dollars stolen, so there is a financial incentive to these attacks and other future attacks. The attack demonstrated today works only on the property they own, and for the safety of others they put up signs perimeter that clearly stated a demo of an exploit was in progress.
To protect yourself while in Second Life, the researchers suggested either turning off multimedia altogether, or setting the multimedia preference within Second Life not to play streaming video when available, but to ask the user first.
On Wednesday, Apple released QuickTime 7.4.1. The update is for users of Mac OS X v10.3.9, Mac OS X v10.4.7, Mac OS X v10.5 or later, and Windows Vista and Windows XP SP2. It addresses the vulnerability described in CVE-2008-0234.
By enticing a user to visit a maliciously crafted Web page, Apple says that an attacker may use an unpatched version of QuickTime to cause an unexpected application termination or arbitrary code execution. The vulnerability is a heap buffer overflow that exists in QuickTime's handling of HTTP responses when RTSP tunneling is enabled. Apple did not credit a researcher for reporting this vulnerability.
There is a new exploit that affects how Apple QuickTime handles the Real Time Streaming Protocol (RTSP) and may allow an attacker to execute arbitrary code or cause a denial-of-service attack on a vulnerable system. The condition is similar yet different from a QuickTime RTSP flaw reported in December. This new vulnerability can occur on a fully patched QuickTime version 7.3.1, running on Windows and possibly Mac OS X.
Discovered by Luigi Auriemma, details can be found here, and here. Auriemma provides an exploit example on his site and writes: "For exploiting this vulnerability is only needed that an user follows a rtsp:// link, if the port 554 of the server is closed QuickTime will automatically change the transport and will try the HTTP protocol on port 80, the 404 error message of the server (other error numbers are valid too) will be visualized in the LCD-like screen."
Apple has not said when a patch for this will become available.
- prev
- 1
- next
