Lucene search

K
appleAppleAPPLE:HT206169
HistoryJan 23, 2017 - 3:54 a.m.

About the security content of tvOS 9.2 - Apple Support

2017-01-2303:54:34
support.apple.com
15

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.063 Low

EPSS

Percentile

93.6%

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

tvOS 9.2

  • FontParser

Available for: Apple TV (4th generation)

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1740 : HappilyCoded (ant4g0nist and r3dsm0k3) working with Trend Micro’s Zero Day Initiative (ZDI)

  • HTTPProtocol

Available for: Apple TV (4th generation)

Impact: A remote attacker may be able to execute arbitrary code

Description: Multiple vulnerabilities existed in nghttp2 versions prior to 1.6.0, the most serious of which may have led to remote code execution. These were addressed by updating nghttp2 to version 1.6.0.

CVE-ID

CVE-2015-8659

  • IOHIDFamily

Available for: Apple TV (4th generation)

Impact: An application may be able to determine kernel memory layout

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1748 : Brandon Azad

  • Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed through improved memory management.

CVE-ID

CVE-2016-1750 : CESG

  • Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple integer overflows were addressed through improved input validation.

CVE-ID

CVE-2016-1753 : Juwei Lin Trend Micro working with Trend Micro’s Zero Day Initiative (ZDI)

  • Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to bypass code signing

Description: A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed through improved permission validation.

CVE-ID

CVE-2016-1751 : Eric Monti of Square Mobile Security

  • Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2016-1754 : Lufeng Li of Qihoo 360 Vulcan Team

CVE-2016-1755 : Ian Beer of Google Project Zero

  • Kernel

Available for: Apple TV (4th generation)

Impact: An application may be able to cause a denial of service

Description: A denial of service issue was addressed through improved validation.

CVE-ID

CVE-2016-1752 : CESG

  • libxml2

Available for: Apple TV (4th generation)

Impact: Processing maliciously crafted XML may lead to unexpected application termination or arbitrary code execution

Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-ID

CVE-2015-1819

CVE-2015-5312 : David Drysdale of Google

CVE-2015-7499

CVE-2015-7500 : Kostya Serebryany of Google

CVE-2015-7942 : Kostya Serebryany of Google

CVE-2015-8035 : gustavo.grieco

CVE-2015-8242 : Hugh Davenport

CVE-2016-1762

  • Security

Available for: Apple TV (4th generation)

Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

Description: A memory corruption issue existed in the ASN.1 decoder. This issue was addressed through improved input validation.

CVE-ID

CVE-2016-1950 : Francis Gabriel of Quarkslab

  • TrueTypeScaler

Available for: Apple TV (4th generation)

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

CVE-ID

CVE-2016-1775 : 0x1byte working with Trend Micro’s Zero Day Initiative (ZDI)

  • WebKit

Available for: Apple TV (4th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed through improved memory handling.

CVE-ID

CVE-2016-1783 : Mihai Parparita of Google

  • WebKit History

Available for: Apple TV (4th generation)

Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash

Description: A resource exhaustion issue was addressed through improved input validation.

CVE-ID

CVE-2016-1784 : Moony Li and Jack Tang of TrendMicro and 李普君 of 无声信息技术PKAV Team (PKAV.net)

  • Wi-Fi

Available for: Apple TV (4th generation)

Impact: An attacker with a privileged network position may be able to execute arbitrary code

Description: A frame validation and memory corruption issue existed for a given ethertype. This issue was addressed through additional ethertype validation and improved memory handling.

CVE-ID

CVE-2016-0801 : an anonymous researcher

CVE-2016-0802 : an anonymous researcher

CPENameOperatorVersion
tvoslt9.2

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.063 Low

EPSS

Percentile

93.6%