After fumbling its first attempt at launching Apple TV 6.0 last week, Apple has re-released the digital media receiver with patches for 57 bugs. Available for Apple TV 2nd generation and later, this is Apple’s first security update for the product since March.
This update comes with the usual fixes for vulnerabilities that may lead to unexpected application termination or arbitrary code execution, some of which occur from viewing maliciously crafted PDF files (due to buffer overflow issues that existed in the handling of JPEG2000 encoded data and JBIG2 encoded data in PDF files.) Other critical fixes relate to kernel issues that may result in arbitrary code execution within the kernel or allow information disclosure.
Following is list of all vulnerabilities patched with the Apple TV 6.0 update:
CVE-2013-1025 : Buffer overflow in CoreGraphics in Apple Mac OS X before 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JBIG2 data in a PDF document. This issue was addressed through additional bounds checking.
CVE-2013-1019 : Buffer overflow in Apple QuickTime before 7.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with Sorenson encoding. This issue was addressed through improved bounds checking.
CVE-2013-5134 : An attacker with a privileged network position may intercept user credentials or other sensitive information. TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security (TLS). This update added the involved sub-CA certificate to OS X’s list of untrusted certificates.
CVE-2013-3950 : Stack-based buffer overflow in the openSharedCacheFile function in dyld.cpp in dyld in Apple iOS 5.1.x and 6.x through 6.1.3 makes it easier for attackers to conduct untethering attacks via a long string in the DYLD_SHARED_CACHE_DIR environment variable. These issues were addressed through improved bounds checking.
CVE-2013-1026 : Buffer overflow in ImageIO in Apple Mac OS X before 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document. This issue was addressed through additional bounds checking.
CVE-2013-5138 : A malicious local application could cause an unexpected system termination. A null pointer dereference existed in IOCatalogue. The issue was addressed through additional type checking.
CVE-2013-5139 : Executing a malicious application may result in arbitrary code execution within the kernel. An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through additional bounds checking.
CVE-2013-5140 : A remote attacker can cause a device to unexpectedly restart. Sending an invalid packet fragment to a device can cause a kernel assert to trigger, leading to a device restart. The issue was addressed through additional validation of packet fragments.
CVE-2011-2391 : An attacker on a local network can cause a denial of service. An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their checksum.
CVE-2013-5142 : Kernel stack memory may be disclosed to local users. An information disclosure issue existed in the msgctl and segctl APIs. This issue was addressed by initializing data structures returned from the kernel.
CVE-2013-3953 : The mach_port_space_info function in osfmk/ipc/mach_debug.c in the XNU kernel in Apple Mac OS X 10.8.x does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory via a crafted call.
CVE-2013-3954 : The posix_spawn system call in the XNU kernel in Apple Mac OS X 10.8.x does not properly validate the data for file actions and port actions, which allows local users to (1) cause a denial of service (panic) via a size value that is inconsistent with a header count field, or (2) obtain sensitive information from kernel heap memory via a certain size value in conjunction with a crafted buffer.
CVE-2013-5145 : An unauthorized process may modify the set of loaded kernel extensions. An issue existed in kextd’s handling of IPC messages from unauthenticated senders. This issue was addressed by adding additional authorization checks.
CVE-2011-3102, CVE-2012-0841, CVE-2012-2807, CVE-2012-5134 : Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in libxml. These issues were addressed by updating libxml to version 2.9.0.
CVE-2012-2825, CVE-2012-2870, CVE-2012-2871 : Viewing a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Multiple memory corruption issues existed in libxslt. These issues were addressed by updating libxslt to version 1.1.28.
