Apple has released two security fixes — one to patch an IPv6 vulnerability in its Mac OS X and the other to correct a more serious flaw in its Apple TV service.Both holes could permit remote attacks, although the Apple TV buffer overflow vulnerability could be exploited to execute arbitrary code or launch a DoS condition.
The French Security Incident Response Team (FrSIRT) rated the vulnerability in Apple TV, a network device that permits users to play computer content on a television, as "critical." According to an Apple advisory, the flaw is present in the internet gateway device standardized device control protocol code.
An attacker can deliver a maliciously crafted packet that can "trigger the overflow which may lead to an unexpected application termination or arbitrary code execution," Apple said. The security update resolves the issue by performing additional validation when processing such packets.
FrSIRT, meanwhile, applied a "moderate risk" rating to the Mac OS X vulnerability, which can only lead to reduced network bandwidth. According to Apple, the flaw relates to a design error in the IPv6 protocol’s handling of type 0 routing headers.
Systems running Mac OS X v10.4 or earlier versions are not affected, Apple said.
Amol Sarwate, manager of vulnerability research at Qualys, told SCMagazine.com today that he is not too concerned about the Mac OS X flaw because many businesses have not yet migrated to IPv6, which includes added address space and increased data security.
"A lot of companies are still running IPv4," Sarwate said. "It's not hit yet [a migration to IPv6] because it requires a massive upgrade of the infrastructure."