Now showing: Apple TV security flaw

Apple TV has a remotely exploitable buffer overflow that could allow code execution attacks.

The vulnerability, reported by Juniper Networks researcher Mike Lynn, has been fixed with today's release of Apple TV 1.1, according to an advisory from Cupertino.

This is the same "critical" mDNSResponder vulnerability fixed in last month's mega-patch from Apple. Exploit code for this flaw, which also affects the Bonjour networking service, has been released by a private security research outfit.

[ SEE: Bonjour Apple, connect to this Mac OS X exploit ]

Apple's description of the flaw and potential attack scenario:

A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the Apple TV implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution.

According to the advisory, the Apple TV device will automatically check for, download, verify and apply the update.

This process may take up to a week depending on the day that the Apple TV device checks for updates. Alternatively, you may manually update your Apple TV using the TV interface by selecting Settings > Update Software.