About the security content of tvOS 9.1

This document describes the security content of tvOS 9.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

tvOS 9.1

  • AppleMobileFileIntegrity

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: An access control issue was addressed by preventing modification of access control structures.

    CVE-ID

    CVE-2015-7055 : Apple

  • Compression

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.

    CVE-ID

    CVE-2015-7054 : j00ru

  • CoreGraphics

    Available for: Apple TV (4th generation)

    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

  • CoreMedia Playback

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7074

    CVE-2015-7075 : Apple

  • Disk Images

    Available for: Apple TV (4th generation)

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7110 : Ian Beer of Google Project Zero

  • dyld

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization.

    CVE-ID

    CVE-2015-7072 : Apple

    CVE-2015-7079 : PanguTeam

  • ImageIO

    Available for: Apple TV (4th generation)

    Impact: Processing a maliciously crafted image may lead to arbitrary code execution

    Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7053 : Apple

  • IOAcceleratorFamily

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7109 : Juwei Lin of TrendMicro

  • IOHIDFamily

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7111 : beist and ABH of BoB

    CVE-2015-7112 : Ian Beer of Google Project Zero

  • IOKit SCSI

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with kernel privileges

    Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.

    CVE-ID

    CVE-2015-7068 : Ian Beer of Google Project Zero

  • Kernel

    Available for: Apple TV (4th generation)

    Impact: A local application may be able to cause a denial of service

    Description: Multiple denial of service issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7043 : Tarjei Mandt (@kernelpool)

  • Kernel

    Available for: Apple TV (4th generation)

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7083 : Ian Beer of Google Project Zero

    CVE-2015-7084 : Ian Beer of Google Project Zero

  • Kernel

    Available for: Apple TV (4th generation)

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.

    CVE-ID

    CVE-2015-7047 : Ian Beer of Google Project Zero

  • libarchive

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2011-2895 : @practicalswift

  • libc

    Available for: Apple TV (4th generation)

    Impact: Processing a maliciously crafted package may lead to arbitrary code execution

    Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2015-7038 : Brian D. Wells of E. W. Scripps,  Narayan Subramanian of Symantec Corporation/Veritas LLC

    CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)

    Entry updated March 3, 2017

  • libxml2

    Available for: Apple TV (4th generation)

    Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information

    Description: A memory corruption issue existed in the parsing of XML files. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7115 : Wei Lei and Liu Yang of Nanyang Technological University

    CVE-2015-7116 : Wei Lei and Liu Yang of Nanyang Technological University

  • MobileStorageMounter

    Available for: Apple TV (4th generation)

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A timing issue existed in loading of the trust cache. This issue was addressed by validating the system environment before loading the trust cache.

    CVE-ID

    CVE-2015-7051 : PanguTeam

  • OpenGL

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7064 : Apple

    CVE-2015-7065 : Apple

  • Security

    Available for: Apple TV (4th generation)

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.

  • Security

    Available for: Apple TV (4th generation)

    Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the ASN.1 decoder. These issues were addressed through improved input validation

    CVE-ID

    CVE-2015-7059 : David Keeler of Mozilla

    CVE-2015-7060 : Tyson Smith of Mozilla

    CVE-2015-7061 : Ryan Sleevi of Google

  • Security

    Available for: Apple TV (4th generation)

    Impact: A malicious application may gain access to a user's Keychain items

    Description: An issue existed in the validation of access control lists for keychain items. This issue was addressed through improved access control list checks.

    CVE-ID

    CVE-2015-7058

  • WebKit

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7048 : Apple

    CVE-2015-7095 : Apple

    CVE-2015-7096 : Apple

    CVE-2015-7097 : Apple

    CVE-2015-7098 : Apple

    CVE-2015-7099 : Apple

    CVE-2015-7100 : Apple

    CVE-2015-7101 : Apple

    CVE-2015-7102 : Apple

    CVE-2015-7103 : Apple

    CVE-2015-7104 : Apple

  • WebKit

    Available for: Apple TV (4th generation)

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: