October 15, 2024 at 01:51PM
Apple released a security update for tvOS 17.6 on July 29, 2024, addressing several vulnerabilities (CVE-2024-40774, 40799, 40815, etc.) that could allow apps to bypass privacy settings, cause app terminations, reveal kernel memory layout, or enable cross-site scripting attacks. Update is available for Apple TV HD and 4K models.
### Meeting Takeaways
**Apple ID:** 120914
**Release Date:** July 29, 2024
**Affected Product:** About the security content of tvOS 17.6
**Update Availability:** Apple TV HD and Apple TV 4K (all models)
#### Security Vulnerabilities and Fixes:
1. **CVE-2024-40774**
– **Description:** Downgrade issue fixed with additional code-signing restrictions.
– **Impact:** Apps may bypass Privacy preferences.
2. **CVE-2024-40799**
– **Description:** Out-of-bounds read issue fixed with improved input validation.
– **Impact:** Maliciously crafted files may cause unexpected app termination.
3. **CVE-2024-40815**
– **Description:** Race condition fixed with additional validation.
– **Impact:** Attackers may bypass Pointer Authentication.
4. **CVE-2024-40795, CVE-2023-6277, CVE-2023-52356, CVE-2024-40806, CVE-2024-40777**
– **Description:** Out-of-bounds access issues addressed with improved bounds checking.
– **Impact:** Processing malicious files may result in unexpected app termination.
5. **CVE-2024-40784, CVE-2024-27863**
– **Description:** Information disclosure issues fixed with better private data redaction in logs.
– **Impact:** Local attackers could determine kernel memory layout.
6. **CVE-2024-40788**
– **Description:** Type confusion issue corrected with better memory handling.
– **Impact:** Could cause unexpected system shutdown by local attackers.
7. **CVE-2024-40805**
– **Description:** Permissions issue addressed with additional restrictions.
– **Impact:** Apps may bypass Privacy preferences.
8. **CVE-2024-40776, CVE-2024-40782, CVE-2024-40779, CVE-2024-40780, CVE-2024-40785**
– **Description:** Issues fixed with improved checks.
– **Impact:** Maliciously crafted web content may result in cross-site scripting attacks.
9. **CVE-2024-40789**
– **Description:** Out-of-bounds access issue fixed with improved bounds checking.
– **Impact:** Processing maliciously crafted web content may cause unexpected process crashes.
### Summary:
Updates for tvOS 17.6 are critical for maintaining security regarding privacy preferences, app stability, and protection against various forms of attacks, including cross-site scripting and memory access vulnerabilities. All Apple TV HD and Apple TV 4K devices are eligible for these updates.