Now showing: Apple TV security flaw

Summary:Apple issues an update to Apple TV to fix a remotely exploitable buffer overflow that could allow code execution attacks.

Apple TV has a remotely exploitable buffer overflow that could allow code execution attacks.

Apple TV
The vulnerability, reported by Juniper Networks researcher Mike Lynn, has been fixed with today's release of Apple TV 1.1, according to an advisory from Cupertino.

This is the same "critical" mDNSResponder vulnerability fixed in last month's mega-patch from Apple. Exploit code for this flaw, which also affects the Bonjour networking service, has been released by a private security research outfit.

[ SEE: Bonjour Apple, connect to this Mac OS X exploit ]

Apple's description of the flaw and potential attack scenario:

A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Apple TV implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution.

According to the advisory, the Apple TV device will automatically check for, download, verify and apply the update.

This process may take up to a week depending on the day that the Apple TV device checks for updates. Alternatively, you may manually update your Apple TV using the TV interface by selecting Settings > Update Software.

Topics: Security, Apple, Hardware

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.