Security News

Apple TV 6.1.2 has been released and includes multiple security-related fixes for 2nd generation and newer Apple TV models. This update addresses 35 security flaws altogether.

The following vulnerabilities are addressed in the Apple TV 6.1.2 update:

• CVE-2014-1355 : An application could cause the device to unexpectedly restart. A null pointer dereference existed in the handling of IOKit API arguments. This issue was addressed through additional validation of IOKit API arguments.
• CVE-2014-1356 : A malicious application may be able to execute arbitrary code with system privileges. A heap buffer overflow existed in launchd’s handling of IPC messages. This issue was addressed through improved bounds checking.
• CVE-2014-1357 : A malicious application may be able to execute arbitrary code with system privileges. A heap buffer overflow existed in launchd’s handling of log messages. This issue was addressed through improved bounds checking.
• CVE-2014-1358 : A malicious application may be able to execute arbitrary code with system privileges. An integer overflow existed in launchd. This issue was addressed through improved bounds checking.
• CVE-2014-1359 : A malicious application may be able to execute arbitrary code with system privileges. An integer underflow existed in launchd. This issue was addressed through improved bounds checking.
• CVE-2014-1361 : Two bytes of memory could be disclosed to a remote attacker. An uninitialized memory access issue existed in the handling of DTLS messages in a TLS connection. This issue was addressed by only accepting DTLS messages in a DTLS connection.
• CVE-2013-2875, CVE-2013-2927, CVE-2014-1323, CVE-2014-1325, CVE-2014-1326, CVE-2014-1327, CVE-2014-1329, CVE-2014-1330, CVE-2014-1331, CVE-2014-1333, CVE-2014-1334, CVE-2014-1335, CVE-2014-1336, CVE-2014-1337, CVE-2014-1338, CVE-2014-1339, CVE-2014-1341, CVE-2014-1342, CVE-2014-1343, CVE-2014-1362, CVE-2014-1363, CVE-2014-1364, CVE-2014-1365, CVE-2014-1366, CVE-2014-1367, CVE-2014-1368, CVE-2014-1382, CVE-2014-1731 : Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.
• CVE-2014-1383 : An iTunes Store transaction may be completed with insufficient authorization. A signed-in user was able to complete an iTunes Store transaction without providing a valid password when prompted. This issue was addressed by additional enforcement of purchase authorization.

Users can download the software update by turning on your Apple TV, then go to Settings > General > Update Software.