Apple TV security fixes - better late than never?

Stephen Withers
Friday, 11 July 2008 03:32

Your IT - Home IT

Despite the flurry of activity surrounding the iPhone 3G launch, Apple hasn't been ignoring its other product lines. A software update for Apple TV plugs multiple security holes.

Apple TV 2.1 is designed to remove half a dozen vulnerabilities. Their most common cause? Our old favourite: buffer overflows leading to crashes or arbitrary code execution.

Improved bounds checking and data validation in the new software fixes five of the six vulnerabilities, which could be exploited by maliciously formed movie, QuickTime or PICT.

The remaining issue concerned the way QuickTime handles URLs. The software now refuses to open local files or applications specified in file: URLs. While this stops malicious content from triggering program execution, it also prevents legitimate use of the capability. (Better safe than sorry?)

Three of the bugs were reported to Apple by Tipping Point's Zero Day Initiative, which buys vulnerability information from security researchers and then engages in a 'responsible disclosure' dialogue with the vendor concerned.

Apple has a reputation for being less than speedy when it comes to security updates. Of the six vulnerabilities covered by the Apple TV update, all have previously been fixed by QuickTime updates for Mac OS X and Windows.

Just how long has Apple held back on security updates for the Apple TV? Please read on.