In addition to issuing a quick fix for a dangerous SSL vulnerability with last week’s release of iOS 7.0.6 (you can apply the update without upgrading your firmware), Apple has also released a companion update for its $99 streaming box, the Apple TV.
The Apple TV 6.0.2 software update (hat tip to iDB reader Gil) carries a build number of 6646.81.1 and fixes the SSL bug which allows attackers to steal your usernames and passwords used on iTunes Store and other services, by posing as a legitimate site.
The exploit affects Apple’s Safari browser so Apple TV users are not necessarily in immediate danger like their Mac counterparts…
Release notes for the Apple TV 6.0.2 software update state that the bug enables attackers with a privileged network position to “capture or modify data in sessions protected by SSL/TLS” protocols.
“Secure Transport failed to validate the authenticity of the connection,” the firm explains.
This issue was addressed by restoring missing validation steps. The new firmware was released five days ago and files as Apple’s first security update for the Apple TV in 2014.
It’s interesting that Apple also notes the following:
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
The firm’s been criticized for not issuing an emergency fix for OS X Mavericks systems.
The patch is available for the second-generation Apple TV or later and can be applied manually by choosing Settings > General > Software Updates > Update Software.
A security researcher this morning reported being able to exploit the bug in order to capture nearly all SSL encrypted traffic.
This includes not only your usernames and passwords, but a treasure trove of other data as well, such as Apple’s app updates, iCloud data, KeyChain enrollment and updates, data from Calendar application, Find My Mac updates and traffic from apps that use certificate pining (i.e. Twitter).