Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="36"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#37">By Date</a>
<a href="38"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="36"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#37">By Thread</a>
<a href="38"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">APPLE-SA-2020-09-16-2 tvOS 14.0</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Apple Product Security via Fulldisclosure <fulldisclosure () seclists org>
<em>Date</em>: Wed, 16 Sep 2020 14:54:37 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-09-16-2 tvOS 14.0
tvOS 14.0 is now available and addresses the following:
Assets
Available for: Apple TV 4K and Apple TV HD
Impact: An attacker may be able to misuse a trust relationship to
download malicious content
Description: A trust issue was addressed by removing a legacy API.
CVE-2020-9979: CodeColorist of Ant-Financial LightYear Labs
Keyboard
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to leak sensitive user
information
Description: A logic issue was addressed with improved state
management.
CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany
Sandbox
Available for: Apple TV 4K and Apple TV HD
Impact: A malicious application may be able to access restricted
files
Description: A logic issue was addressed with improved restrictions.
CVE-2020-9968: Adam Chester(@xpn) of TrustedSec
WebKit
Available for: Apple TV 4K and Apple TV HD
Impact: Processing maliciously crafted web content may lead to a
cross site scripting attack
Description: An input validation issue was addressed with improved
input validation.
CVE-2020-9952: Ryan Pickren (ryanpickren.com)
Additional recognition
Bluetooth
We would like to acknowledge Andy Davis of NCC Group and Dennis
Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for
their assistance.
Core Location
We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for
their assistance.
iAP
We would like to acknowledge Andy Davis of NCC Group for their
assistance.
iBoot
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Kernel
We would like to acknowledge Brandon Azad of Google Project Zero for
their assistance.
Location Framework
We would like to acknowledge an anonymous researcher for their
assistance.
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> System -> Software Update -> Update Software."
To check the current version of software, select
"Settings -> General -> About."
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl9igrwACgkQZcsbuWJ6
jjC20Q//btHc0XNdZu1M133Uqeckujc3BdhVhImPTm4brg/OExquRj5vBKU+XsR0
vv439zYv3cJcxWPZIFoS3sHvm7B+PmGmBbgkhxwfRjejW93jBND9YjEywLfZchlB
07FuHf2eBbkURtxZ0sSPJ8zOMeAliIhFsjcstrPm2IqSNmtK2TUFCbAB7keZo2Zy
V5e9Zrktnmv4O024gTKKcFIJK7cmZNu7DSMxoKcarRemk6uAyRoOrixnlo7SWR68
Tik1TmSt86GzsaXtmxwFIywGa/Im95/gj0C1cCwkJVi/xwf+nWq0H5hhWCqOHJdx
hvjhVKizxZvmOewjO1wDNCZs5MdeRKs+GntG+2Qg7aCVWkz3fFVDGFo+2AIaGrq2
WjxtyQZHVLrGsg8+K5bxfB0cmcUyVJWS2hvM/vFn71ZUbC9OmINpHHqxyUqQ0yNu
O9QBC4crSyO9EQzrYJJjMlphWxYd4cQFQ+pinSy0P+Y0dev12qvWxC+aZiIOQ4rV
+bcgh9U4HfrF6sp0sZ/2wRmDLvQjxPJvdqhpjvrRRY2b9ohTQKqEw1P7RKEbMkZw
H4q/7H+5K7Z9nw388uhWxr6dRVVzz2jLzgefUetO6RlI5y0xeMqH8UwIAauQ62Gz
3p2iaZF84VNSETWDJXeAjRgbkSFIxnJERbnxntsLolb8BoWTsg0=
=TS1A
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="36"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#37">By Date</a>
<a href="38"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="36"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#37">By Thread</a>
<a href="38"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>APPLE-SA-2020-09-16-2 tvOS 14.0</strong> <em>Apple Product Security via Fulldisclosure (Sep 18)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>