About the security content of Apple TV 2.1
This document describes the security content of Apple TV 2.1.
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To find out more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key".
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To find out more about other Security Updates, see "Apple Security Updates".
Apple TV 2.1
Apple TV
CVE-ID: CVE-2008-1015
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
Description: An issue in the handling of data reference atoms may result in a buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of data reference atoms. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1017
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
Description: An issue in the parsing of "crgn" atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Sanbin Li working with TippingPoint's Zero Day Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1018
Available for: Apple TV
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution.
Description: An issue in the parsing of "chan" atoms may result in a heap buffer overflow. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-1585
Available for: Apple TV
Impact: Playing maliciously crafted QuickTime content may lead to arbitrary code execution.
Description: A URL handling issue exists in the handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content. This update addresses the issue by no longer launching local applications and files. Credit to Vinoo Thomas and Rahul Mohandas of McAfee Avert Labs, and Petko D. (pdp) Petkov of GNUCITIZEN working with TippingPoint's Zero Day Initiative for reporting this issue.
Apple TV
CVE-ID: CVE-2008-0234
Available for: Apple TV
Impact: Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution.
Description: A heap buffer overflow exists in the handling of HTTP responses when RTSP tunnelling is enabled. Playing maliciously crafted QuickTime content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
Apple TV
CVE-ID: CVE-2008-0036
Available for: Apple TV
Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution.
Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Chris Ries of Carnegie Mellon University Computing Services for reporting this issue.