Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2768 tvOS 11.1 1 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple TV Publisher: Apple Operating System: Apple iOS Impact/Access: Root Compromise -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13849 CVE-2017-13804 CVE-2017-13803 CVE-2017-13802 CVE-2017-13799 CVE-2017-13798 CVE-2017-13796 CVE-2017-13795 CVE-2017-13794 CVE-2017-13793 CVE-2017-13792 CVE-2017-13791 CVE-2017-13788 CVE-2017-13785 CVE-2017-13784 CVE-2017-13783 CVE-2017-13080 Reference: ESB-2017.2638 ESB-2017.2620 ESB-2017.2600 ESB-2017.2599 Original Bulletin: https://support.apple.com/en-au/HT208219 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-10-31-3 tvOS 11.1 tvOS 11.1 is now available and addresses the following: CoreText Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted text file may lead to an unexpected application termination Description: A denial of service issue was addressed through improved memory handling. CVE-2017-13849: Ro of SavSec Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13799: an anonymous researcher StreamingZip Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious zip file may be able modify restricted areas of the file system Description: A path handling issue was addressed with improved validation. CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L. WebKit Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-13785: Ivan Fratric of Google Project Zero CVE-2017-13784: Ivan Fratric of Google Project Zero CVE-2017-13783: Ivan Fratric of Google Project Zero CVE-2017-13788: xisigr of Tencent's Xuanwu Lab (tencent.com) CVE-2017-13798: Ivan Fratric of Google Project Zero CVE-2017-13795: Ivan Fratric of Google Project Zero CVE-2017-13802: Ivan Fratric of Google Project Zero CVE-2017-13792: Ivan Fratric of Google Project Zero CVE-2017-13794: Ivan Fratric of Google Project Zero CVE-2017-13791: Ivan Fratric of Google Project Zero CVE-2017-13796: Ivan Fratric of Google Project Zero CVE-2017-13793: Hanul Choi working with Trend Micro's Zero Day Initiative CVE-2017-13803: chenqin (é\x{153}\x{136}é\x{146}¦) of Ant-financial Light-Year Security Wi-Fi Available for: Apple TV 4K Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAln4u78pHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEYANRAA mwauLif6cLmTRZf4ENKJUA1oMP5xVnua/W8eG3Pb5/7InUls4m3chSI0uCzcGD4w Z4wVG/2ONKfHU/xjAB/IJcnBphQUsJyKyYp+mMDJHt5HJPW1gpyzdKoSmy3plFPM Pghs6v5DaG1vF9s+zqNrnBQwX0Juqwo87CBcDfg5862p5gxWocpSsLGZ0DZ9sErn eMkD/jTG9H4XYsI7T34DvDzCdFsFWGPPN6nWb9Vb0tcW4D/1WSaxJKJApXdJU6yz Fj6W7CnFOkw7SSA1qb2xl7FyVN4mzxRTRF0f8IsCQfzI7kLpNJ6rIFX0kca8FVYM ORzOLigK4eUuEeuCRV32yZuvxDF/2st3TzmFs0XKnzzd9MTIsqZogh/cv7v3MCUd FBhfEiANx86AO6OZ5VtTzqLbchm3Dws15s6G94Cmj/epuGgHYpnKnJewlpX/pVW+ QSJ+QY/q9ucjd9pnDbcutt8gfY0NCLlyjix5i0I/zAm1LhqGJJAmh1nAziiIPfzl BwI+awHCJMn9MTI56vrNsyfMIdd2X7Cux5OxEmr0sMkjAYdf3HVXA8fMb7tzukRT br+WwVWAskuJCC2PiYHcGz1x7GTzZBWXPJ6/U1K+PsUSfN/nQKdh2U3L7ivVfRWi sB8o+ec+qJeAoT41wLeCb67PgvFF//Gul8g5eh68wCI= =255g - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWflkz4x+lLeg9Ub1AQjfxg//cobB4dw2zG8UP+ByaNj5gi/RFVgQB0ds RCu2nme6JzjVm/TyZjXRqToDj+3jzz3AXes/TMj+bnHeRa9m2joWj5TDZmVJqEP1 aSEvDvng1BB5zlIfr4zhBwDHOMU2ovAJOqUforJWhp3Nr+Kvf/7LStA44+0WsQNZ 4A9zfAt+7w+qQNqzekITkFUuHAAqd0imH+U3f+wc4Llp1+hgAE6cCybwlEXvzeej ZgFF9vcSCV+N+3/WQxQIbl4ukZlBJfprTrDSV8oGTtCfZGEKSrAPaz/Pg3uvyst5 8BsT//fVXyKx9x8G2jfv+G+ewH26TFt+9n5W35n+D3rm6cjxuZPkxys58HxanBjE M7utXteJxOEGynHx29kCoG9KbSxp197z+vnjbQRB11FUq3CnGexn/VdADt58N1wt Bvzof54hPHXWUzFoZGvF1p79pgI5h2bulBlU9Gq7X0/lG+rODua5KFkaHX9Mn8a5 gCkTbVKKXSJRkmX8mcEP5v74cba58J0pMxf59pRn0cde2hXG9sL571iTl+o/fB9C xdx/Vn+5ewi0yzoNPOgG9wZDBC3TP5jWnTHm/s+PXPjkfjHZ5yu9SSuJO8aGvYBf ID6rVRL+JGQyEiCdVGOClmnx9ZoChzQ6xOxv4KrFdlv+RyUb88OEbGVPYEFT5x5Y yfbZyeIi7e0= =0RPT -----END PGP SIGNATURE-----