Yesterday we  saw the new HBO NOW service being announced for the Apple TV as well as a significant $30 cut in the Apple TV 3 pricing. On the code side, Apple TV also received a new software update.

No, it doesn’t add the HBO NOW channel nor a new user interface, but instead it deals with three security fixes. The Apple TV software update 7.1 includes security fixes thta patch different flaws that let hackers intercept SSL/TLS connections, execute arbitrary code with system privileges and create folders in trusted areas in the file system.

According to iDownloadblog, the first one is the most serious one and is dubbed as FREAK attack.

[..] the high profile SSL flaw known as “FREAK.” Spotlighted last week, the bug allows would-be attackers to spy on communications made through Safari.
More specifically, FREAK stands for Factoring RSA Export Keys, and it affects certain embodiments of web encryption technologies SSL and TLS. If used maliciously, the flaw could leave systems open to what are known as man-in-the-middle attacks.

And in case you’re wondering, updates for OS X and iOS was also pushed out yesterday which neutralizes the same bugs.

Many Apple TV users are reporting that the update is not yet available for their location. You can head over to Settings > General > Software Update and check if you’ve got it.

Be sure to follow Apple TV Hacks on Twitter, Facebook or Google+ for all the latest Apple TV-related news.

The post Apple rolls out a security update for Apple TV appeared first on Apple TV Hacks.

Very few people noticed that Apple released Apple TV software update 7.0.1 for the 3rd gen Apple TV yesterday alongside iOS 8.1. Although the company hasn’t updated the Apple TV support page yet, it seems that the update only addresses some security vulnerabilities.

According to this Apple product security page, the 7.0.1 update contains two security fixes:

• Impact: A malicious Bluetooth input device may bypass pairing. Description: Unencrypted connections were permitted from Human Interface Device-class Bluetooth Low Energy accessories. If a device had paired with such an accessory, an attacker could spoof the legitimate accessory to establish a connection. The issue was addressed by denying unencrypted HID connections.

• Impact: An attacker may be able to decrypt data protected by SSL. Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

Let us know in the comments if you discover any other changes in Apple TV 7.0.1.

Update: 

Apple TV Software Update 7.0.1—Apple TV (3rd generation) only

 
Be sure to follow Apple TV Hacks on Twitter, Facebook or Google+ for all the latest Apple TV-related news.

The post Apple TV software update 7.0.1 released with security fixes (updated) appeared first on Apple TV Hacks.

This Friday, Apple revealed a major security glitch in Apple’s iOS devices, relatated to SSL implementation. Later analysts looked into it only to find that OS X and Apple TV are also affected and that it is an easily exploitable yet a seriously injurious one.

I’m not going to talk details about the Apple bug except to say the following. It is seriously exploitable and not yet under control.

— Matthew Green (@matthew_d_green) February 21, 2014

The bug seems to result in failed validation of SSL certification of sites. And for users that would mean, many data which are supposed to be secure are being transferred un-encrypted. Though domain access seems to be protected, direct SSL connections to IP addresses was found to be exploitable. So a hacker’s access to data used through Safari is unlikely, but to that through apps is possible as most of them communicates directly with their servers. And that is why Apple TV apps can also be affected.

Apple describes the vulnerability as follows:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

You can read more on the bug here.

But no worries, Apple is quick to seal the bleed and released new software updates for the affected devices. 7.0.6 for iOS devices, 6.1.6 for older iOS devices and 6.0.2 for Apple TV 2 and 3 are now available. You can goto Settings > General > Software update to check for and install the new firmware.

However OS X bug is still unrepaired, during the time of writing. You can quickly browse to gotofail.com to find out if any of your device is vulnerable. If yes, I recommend you guys to update immediately. Else any hacker could pose as a secure site and pull you data.

Now, though things have settled a bit for users, they are far from over for Apple. It is still uncertain as to when the bug was introduced (surely before iOS 6) and whether anybody has already been victim to unauthorized access. Many developers have explained on their blogs as to how the bug works and how it could be exploited and this could pose a great threat to those who haven’t patched it yet.

On the other hand, some are accusing this to be an intentional backdoor for NSA access while others are wondering if there are more such simple, unnoticed security breach roads. Only time will tell if Apple will shine above these dark clouds or get buried in lawsuits.

Be sure to follow Apple TV Hacks on Facebook, Twitter and Google+ for all the latest Apple TV-related news.

The post Apple patches major security bug on Apple TV via 6.0.2 update appeared first on Apple TV Hacks.