Several security fixes included in AppleTV update
While the upgrade to the company's set-top box was advertised as adding support for remote control of iTunes and MobileMe, it also fixed some potentially serious flaws.
All six of the issues addressed with this last batch of patches deal with the potential for arbitrary code execution, with all but one also possibly leading to crashes of the device. Three of the flaws can be exploited through movie files, two through QuickTime, and the last through PICT images.
Of the movie file issues, all deal with the handling of so-called "atoms," which are bits of data in the QuickTime spec that hold various bits of information, such as title, codec identifiers, the encoded data, and so forth.
Heap buffer overflows could occur in the data reference, 'crgn', and 'chan' atoms, which could be used to launch arbitrary code and crash the device. To fix it, Apple added additional validation of the data reference atoms, while adding improved bounds checking to the latter two.
The QuickTime flaws address problems with the handling of file:// URLs, and HTTP responses when RTSP is enabled. The latter is again fixed by improved bounds checking, while the file:// URL issue is fixed by not permitting AppleTV to launch those URLs.
Finally, the PICT image issue occurs when a compressed PICT image is processed. If a maliciously crafted one is opened, it could allow for code to be executed or cause crashes. Apple said improved bounds checking here will also solve the problems.