Apple makes its TV service safer
Apple has released a security update for its Apple TV streaming box and iTunes living room client in order to close six critical security holes. The vendor says that attackers could inject and execute arbitrary code in the device when specially crafted movies are played back. As a result, the unit could be used to purchase iTunes music or be integrated in a bot network as a zombie. The holes are at least partly the result of flaws in the handling of chan and crgn atoms, which lead to buffer overflows. Furthermore, two flaws in QuickTime are related to the handling of certain URLs and RTSP tunnels. Specially crafted PICT images can also provoke a buffer overflow.
The update to version 2.1 is now available for downloading. However, the automatic update function in Apple TV only checks for new updates once a week, so it may take a few days before your system finds and installs this update. Fortunately, you can also install the update manually.
- About the security content of Apple TV 2.1, Apple bug report