logo
DATABASE RESOURCES PRICING ABOUT US

About the security content of tvOS 10.2

Description

# About the security content of tvOS 10.2 This document describes the security content of tvOS 10.2. ## About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page. For more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>). Apple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible. ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## tvOS 10.2 Released March 27, 2017 **Audio** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2430: an anonymous researcher working with Trend Micro’s Zero Day Initiative CVE-2017-2462: an anonymous researcher working with Trend Micro’s Zero Day Initiative **Carbon** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted .dfont file may lead to arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-2017-2379: John Villamil, Doyensec, riusksk (泉哥) of Tencent Security Platform Department **CoreGraphics** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted image may lead to a denial of service Description: An infinite recursion was addressed through improved state management. CVE-2017-2417: riusksk (泉哥) of Tencent Security Platform Department **CoreGraphics** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2444: Mei Wang of 360 GearTeam **CoreText** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2435: John Villamil, Doyensec **CoreText** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed through improved input validation. CVE-2017-2450: John Villamil, Doyensec **CoreText** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted text message may lead to application denial of service Description: A resource exhaustion issue was addressed through improved input validation. CVE-2017-2461: an anonymous researcher, Isaac Archambault of IDAoADI **FontParser** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2487: riusksk (泉哥) of Tencent Security Platform Department CVE-2017-2406: riusksk (泉哥) of Tencent Security Platform Department **FontParser** Available for: Apple TV (4th generation) Impact: Parsing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2407: riusksk (泉哥) of Tencent Security Platform Department **FontParser** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed through improved input validation. CVE-2017-2439: John Villamil, Doyensec **HTTPProtocol** Available for: Apple TV (4th generation) Impact: A malicious HTTP/2 server may be able to cause undefined behavior Description: Multiple issues existed in nghttp2 before 1.17.0. These were addressed by updating nghttp2 to version 1.17.0. CVE-2017-2428 Entry updated March 28, 2017 **ImageIO** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2416: Qidan He (何淇丹, @flanker_hqd) of KeenLab, Tencent **ImageIO** Available for: Apple TV (4th generation) Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2432: an anonymous researcher working with Trend Micro's Zero Day Initiative **ImageIO** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2467 **ImageIO** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted image may lead to unexpected application termination Description: An out-of-bound read existed in LibTIFF versions before 4.0.7. This was addressed by updating LibTIFF in ImageIO to version 4.0.7. CVE-2016-3619 **JavaScriptCore** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2491: Apple Entry added May 2, 2017 **JavaScriptCore** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted web page may lead to universal cross site scripting Description: A prototype issue was addressed through improved logic. CVE-2017-2492: lokihardt of Google Project Zero Entry updated April 24, 2017 **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2401: Lufeng Li of Qihoo 360 Vulcan Team **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An integer overflow was addressed through improved input validation. CVE-2017-2440: an anonymous researcher **Kernel** Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with root privileges Description: A race condition was addressed through improved memory handling. CVE-2017-2456: lokihardt of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed through improved memory management. CVE-2017-2472: Ian Beer of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2473: Ian Beer of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: An off-by-one issue was addressed through improved bounds checking. CVE-2017-2474: Ian Beer of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed through improved locking. CVE-2017-2478: Ian Beer of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow issue was addressed through improved memory handling. CVE-2017-2482: Ian Beer of Google Project Zero CVE-2017-2483: Ian Beer of Google Project Zero **Kernel** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with elevated privileges Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2490: Ian Beer of Google Project Zero, The UK's National Cyber Security Centre (NCSC) Entry added March 31, 2017 **Keyboards** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code Description: A buffer overflow was addressed through improved bounds checking. CVE-2017-2458: Shashank (@cyberboyIndia) **Keychain** Available for: Apple TV (4th generation) Impact: An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain. Description: In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets. This issue was addressed through improved validation. CVE-2017-2448: Alex Radocea of Longterm Security, Inc. Entry updated March 30, 2017 **libarchive** Available for: Apple TV (4th generation) Impact: A local attacker may be able to change file system permissions on arbitrary directories Description: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks. CVE-2017-2390: Omer Medan of enSilo Ltd **libc++abi** Available for: Apple TV (4th generation) Impact: Demangling a malicious C++ application may lead to arbitrary code execution Description: A use after free issue was addressed through improved memory management. CVE-2017-2441 **libxslt** Available for: Apple TV (4th generation) Impact: Multiple vulnerabilities in libxslt Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-5029: Holger Fuhrmannek Entry added March 28, 2017 **Security** Available for: Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with root privileges Description: A buffer overflow was addressed through improved bounds checking. CVE-2017-2451: Alex Radocea of Longterm Security, Inc. **Security** Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted x509 certificate may lead to arbitrary code execution Description: A memory corruption issue existed in the parsing of certificates. This issue was addressed through improved input validation. CVE-2017-2485: Aleksandar Nikolic of Cisco Talos **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A prototype access issue was addressed through improved exception handling. CVE-2017-2386: André Bargull **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved input validation. CVE-2017-2394: Apple CVE-2017-2396: Apple CVE-2016-9642: Gustavo Grieco **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2395: Apple CVE-2017-2454: Ivan Fratric of Google Project Zero, Zheng Huang of the Baidu Security Lab working with Trend Micro's Zero Day Initiative CVE-2017-2455: Ivan Fratric of Google Project Zero CVE-2017-2459: Ivan Fratric of Google Project Zero CVE-2017-2460: Ivan Fratric of Google Project Zero CVE-2017-2464: natashenka of Google Project Zero, Jeonghoon Shin CVE-2017-2465: Zheng Huang and Wei Yuan of Baidu Security Lab CVE-2017-2466: Ivan Fratric of Google Project Zero CVE-2017-2468: lokihardt of Google Project Zero CVE-2017-2469: lokihardt of Google Project Zero CVE-2017-2470: lokihardt of Google Project Zero CVE-2017-2476: Ivan Fratric of Google Project Zero CVE-2017-2481: 0011 working with Trend Micro's Zero Day Initiative Entry updated June 20, 2017 **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed through improved memory handling. CVE-2017-2415: Kai Kang of Tencent's Xuanwu Lab (tentcent.com) **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to high memory consumption Description: An uncontrolled resource consumption issue was addressed through improved regex processing. CVE-2016-9643: Gustavo Grieco **WebKit** Available for: Apple TV (4th generation) Impact: A malicious website may exfiltrate data cross-origin Description: A validation issue existed in the handling of page loading. This issue was addressed through improved logic. CVE-2017-2367: lokihardt of Google Project Zero **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of frame objects. This issue was addressed with improved state management. CVE-2017-2445: lokihardt of Google Project Zero **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A logic issue existed in the handling of strict mode functions. This issue was addressed with improved state management. CVE-2017-2446: natashenka of Google Project Zero **WebKit** Available for: Apple TV (4th generation) Impact: Visiting a maliciously crafted website may compromise user information Description: A memory corruption issue was addressed through improved memory handling. CVE-2017-2447: natashenka of Google Project Zero **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling. CVE-2017-2463: Kai Kang (4B5F5F4B) of Tencent's Xuanwu Lab (tencent.com) working with Trend Micro's Zero Day Initiative Entry added March 28, 2017 **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in frame handling. This issue was addressed through improved state management. CVE-2017-2475: lokihardt of Google Project Zero **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A validation issue existed in element handling. This issue was addressed through improved validation. CVE-2017-2479: lokihardt of Google Project Zero Entry added March 28, 2017 **WebKit** Available for: Apple TV (4th generation) Impact: Processing maliciously crafted web content may exfiltrate data cross-origin Description: A validation issue existed in element handling. This issue was addressed through improved validation. CVE-2017-2480: lokihardt of Google Project Zero CVE-2017-2493: lokihardt of Google Project Zero Entry updated April 24, 2017 ![](/library/content/dam/edam/applecare/images/en_US/mac_apps/itunes/divider.png) ## Additional recognition **XNU** We would like to acknowledge Lufeng Li of Qihoo 360 Vulcan Team for their assistance. Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information. Published Date: March 05, 2021


Affected Software


CPE Name Name Version
tvos 10.2

Related