Apple has released Apple TV 5.2.1 with patches for three security issues that would allow a local user to execute unsigned code, determine the address of structures in the kernel, and execute arbitrary code in the kernel. This update is available for Apple TV 2nd generation and later.
Following are details of the three flaws resolved in this update:
- CVE-2013-0977 : A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments.
- CVE-2013-0978 : An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context.
- CVE-2013-0981 : The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers.
Users can download the software update by turning on your Apple TV, then go to Settings > General > Update Software.