Update for Apple TV closes critical holes
Apple has released an Apple TV 2.2 update, which also fixes three vulnerabilities in the Apple TV living room iTunes client and streaming media box. Two critical holes can be exploited to inject and execute code on the box. They are based on incorrect processing of STSZ and other atoms in manipulated films. In this context, the term "atom" refers to a container that can contain descriptions or data.
The bug makes it possible to provoke targeted buffer and heap overflows and also to inject malicious code into system memory. Furthermore, Apple TV video output crashes when specially crafted images in PICT format are displayed.
The patch brings Apple TV devices with firmware versions 1.0 and 2.1 up-to-date. Since Apple TV only checks for updates once a week, it could take several days for the update to be found and automatically installed for some users. Alternatively, users can install the update manually by selecting System Preferences and Update Software on the Apple TV menu system.
The installation of the update evidently caused serious problems for some users. Several users reported that the box kept rebooting itself whenever they tried to install it. But according to Apple, the problem was not caused by the update itself, but rather by a problem with the update server.