Thirty-three fixes flung at Cupertino’s telly-enhancer
Apple has patched 33 problems, collectively named in 58 CVEs, in its latest TV-enhancing computer-puck, of which 10 enable arbitrary code execution, six with system privileges.
32 of the flaws hit third-generation Apple TV devices and just one its newer, fatter, fourth-gen beast.
The good news is that the changes will automagically appear for those users with automatic updates turned on.
The rest are susceptible to nasties like a memory corruption flaw (CVE-2015-5776) that allows remote attackers to gain arbitrary code execution or crash applications.
Another three holes in an old version of libxml2 allow remote denial of service (CVE-2012-6685, CVE-2014-0191 and CVE-2014-3660 reported by Google’s Felix Groebert).
Other flaws facilitating arbitrary code execution with system privileges can be triggered by malicious or malformed DMG files, plists, and an app.
App engineers stamped out 27 flaws including 19 code execution holes that attackers could otherwise exploit with crafted web content.
Some cross-origin flaws mean images and cookies could leak to third party sites.
Ironically, the source of five flaws was the TaiG jailbreaking team (@TaiG_jailbreak), which found messes concerning the execution of unsigned code. One of the group’s finds revealed a method of enabling arbitrary code execution with system privileges. ®
Sponsored: Building secure multi-factor authentication