Apple TV vulnerabilities closed after being watched for months

Apple has closed off 21 vulnerabilities in Apple TV today despite knowing about many of them for months in advance.
Written by Michael Lee, Contributor

Apple has been going on a patching spree, releasing updates to close vulnerabilities in iTunes, iOS, OS X, and now even its Apple TV offering.

The Cupertino, California-based company released a security bulletin today, revealing the closure of 21 vulnerabilities affecting Apple TV.

The majority of the vulnerabilities affect how Apple TV handles certain specially crafted images or movies, which can result in the underlying software either crashing, or allowing arbitrary code to be executed. A number of vulnerabilities date back to 2011.

Despite many of these vulnerabilities also allowing for arbitrary code to be executed, and the company clearly being aware of their existence, as evidenced by it patching them in other Apple products, they were only closed in this most recent update.

For example, an Apple TV vulnerability that meant that a malicious TIFF file could allow arbitrary code to be executed was reported by a member of the public on March 21, 2011, and assigned the vulnerability identifier CVE-2011-1167. It was later closed in an update to OS X Lion 10.7.3, which, according to the date of the security bulletin, indicates that Apple was aware of the issue as early as February 1, 2012.

According to the security bulletin, Apple TV will periodically check for software updates on its own, although users can manually force a check themselves.

Apple also recently released security patches for OS X Mountain Lion and OS X Lion to close off 34 vulnerabilities.

Some of the more significant issues included a bug where a locally logged-in user could allow another user to attempt to log in and in doing so steal their log-in credentials; and on Lion systems, attackers could decrypt data even if it was protected by SSL.

Editorial standards