Update includes general performance and stability improvements, security fixes

Apr 23, 2014 09:07 GMT  ·  By

Alongside iOS 7.1.1 and Security Update 2014-002, a new version of the Apple TV software has been released, offering customers “general performance and stability improvements.” A set of security fixes is also included.

The “general performance and stability improvements” don’t apply to anything in particular, as these tweaks are made under-the-hood mainly to optimize the way iOS runs on the Apple TV hardware. However, the security side of the update is something we can discuss at length.

The patches apply to Apple TV second-generation and third-generation models. One of the flaws would allow an attacker in a privileged network position to obtain web site credentials, says the Cupertino company.

“Set-Cookie HTTP headers would be processed even if the connection closed before the header line was complete. An attacker could strip security settings from the cookie by forcing the connection to close before the security settings were sent, and then obtain the value of the unprotected cookie. This issue was addressed by ignoring incomplete HTTP header lines,” Apple explains.

Another vulnerability would enable a local user to read kernel pointers. This, in turn, would allow the user to bypass kernel address space layout randomization. The bug was reported by Ian Beer of Google Project Zero working with HP's Zero Day Initiative and subsequently patched by Apple.

The 6.1.1 update further prevents “triple handshake” attacks where “it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker's data in one connection, and renegotiate so that the connections may be forwarded to each other.”

After learning of this bug (from Antoine Delignat-Lavaud, Karthikeyan Bhargavan, and Alfredo Pironti of Prosecco at Inria Paris), Apple changed Secure Transport so that a renegotiation would present the same server certificate as in the original connection, by default.

Multiple memory corruption issues in WebKit would open the door for “unexpected application termination or arbitrary code execution.” More than a dozen such flaws were discovered by security researchers at big-name companies, but also amateurs who enjoy hacking and looking for flaws in software.

In reporting these issues on its Support site, Apple credits the Google Chrome Security Team, Renata Hodovan of University of Szeged / Samsung Electronics, KeenTeam and VUPEN working with HP's Zero Day Initiative, as well as others.

Customers can download Apple TV 6.1.1 firmware from their set-top boxes under General settings, or manually grab the installer at the supplied link and feed it to the box through iTunes.