10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
This document describes the security content of tvOS 9.2.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.
Available for: Apple TV (4th generation)
Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro’s Zero Day Initiative (ZDI)
Available for: Apple TV (4th generation)
Impact: A remote attacker may be able to execute arbitrary code
Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.
CVE-ID
CVE-2015-8659
Available for: Apple TV (4th generation)
Impact: An application may be able to determine kernel memory layout
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1748 : Brandon Azad
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A use after free issue was addressed through improved memory management.
CVE-ID
CVE-2016-1750 : CESG
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple integer overflows were addressed through improved input validation.
CVE-ID
CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)
Available for: Apple TV (4th generation)
Impact: An application may be able to bypass code signing
Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed through improved permission validation.
CVE-ID
CVE-2016-1751 : Eric Monti of Square Mobile Security
Available for: Apple TV (4th generation)
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2016-1755 : Ian Beer of Google Project Zero
Available for: Apple TV (4th generation)
Impact: An application may be able to cause a denial of service
Description: A denial of service issue was addressed through improved validation.
CVE-ID
CVE-2016-1752 : CESG
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-ID
CVE-2015-1819
CVE-2015-5312 : David Drysdale of Google
CVE-2015-7499
CVE-2015-7500 : Kostya Serebryany of Google
CVE-2015-7942 : Kostya Serebryany of Google
CVE-2015-8035 : gustavo.grieco
CVE-2015-8242 : Hugh Davenport
CVE-2016-1762
Available for: Apple TV (4th generation)
Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution
Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.
CVE-ID
CVE-2016-1950 : Francis Gabriel of Quarkslab
Available for: Apple TV (4th generation)
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
CVE-ID
CVE-2016-1775 : 0x1byte working with Trend Micro’s Zero Day Initiative (ZDI)
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1783 : Mihai Parparita of Google
Available for: Apple TV (4th generation)
Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash
Description: A resource exhaustion issue was addressed through improved input validation.
CVE-ID
CVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and 李普君 of 无声信息技术PKAV Team (PKAV.net)
Available for: Apple TV (4th generation)
Impact: An attacker with a privileged network position may be able to execute arbitrary code
Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.
CVE-ID
CVE-2016-0801 : an anonymous researcher
CVE-2016-0802 : an anonymous researcher
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.
Published Date: January 23, 2017
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C