Patch/Configuration Management, Vulnerability Management

OS X, Apple TV flaws fixed

Apple on Thursday released two security fixes — one to patch an IPv6 vulnerability in its Mac OS X and the other to correct a more serious flaw in its Apple TV service.

Both holes could permit remote attacks, although the Apple TV buffer overflow vulnerability could be exploited to execute arbitrary code or launch a DoS condition.

The French Security Incident Response Team (FrSIRT) rated the vulnerability in Apple TV, a network device that permits users to play computer content on a television, as "critical." According to an Apple advisory, the flaw is present in the internet gateway device standardized device control protocol code.

An attacker can deliver a maliciously crafted packet that can "trigger the overflow which may lead to an unexpected application termination or arbitrary code execution," Apple said. The security update resolves the issue by performing additional validation when processing such packets.

FrSIRT, meanwhile, applied a "moderate risk" rating to the Mac OS X vulnerability, which can only lead to reduced network bandwidth. According to Apple, the flaw relates to a design error in the IPv6 protocol’s handling of type 0 routing headers.

Systems running Mac OS X v10.4 or earlier versions are not affected, according to Apple.

Amol Sarwate, manager of vulnerability research at Qualys, told today that he is not too concerned about the Mac OS X flaw because many enterprises have not yet migrated to IPv6, which includes added address space and increased data security.

"A lot of companies are still running IPv4," Sarwate said. "It's not hit yet [a migration to IPv6] because it requires a massive upgrade of the infrastructure."


Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.