Daily Archives: February 28, 2016

Apple Releases Security Update for Apple TV

Late last week Apple released a single security update for Apple TV bringing it to version 7.2.1 and addresses 61 security issues more formally known as CVEs (defined).

As always, full details of all of these updates are provided on Apple’s Security Updates page. Further release notes are available here. Noteworthy fixes included are as follows:

Code Signing (4x CVEs)
CoreMedia Playback (2x CVEs)
CoreText (2x CVEs)
FontParser (3x CVEs)
ImageIO (3x CVEs)
Apple TV kernel (2x CVEs) (the concept of a kernel is defined here)
libc (3x CVEs)
libpthread (1x CVE)
libxpc (1x CVE)
WebKIt (the renderer of Safari)(24x CVEs)

If you use Apple TV, please install the appropriate update as soon as possible. For advice on how to install updates for Apple TV, please see this page.

Thank you.

Upcoming Pwn2Own 2016 Contest Announced

Update: 20th March 2016:
A more recent blog post discusses the outcome of Pwn2Own 2016.

Thank you.

=======================
Original Post
=======================
Next month on March the 16th and 17th the annual CanSecWest security conference will take place. As you know I’m a particular fan of this since it includes the Pwn2Own contest.

This year Mozilla Firefox and Adobe Reader won’t be included. Exploits for Firefox are quite rare while exploits for Adobe Reader have mostly ceased to be used by exploit kits (defined) in recent years so I can see why this decision was made. However while this is the case, we still see security updates being made available for both of these products on a regular basis. Other changes are the fact that the operating systems to be exploited won’t be directly installed on the computers within the contest but within VMware virtual machines (VMs). Additional prize money will be awarded if the researchers can have their exploits escape from within the VMs.

This contest will mark the first time that Apple Mac OS X 10.11 (“El Capitan”), Microsoft Edge and Windows 10 will be part of the competition as security researchers attempt to exploit the very latest versions of these products. Similar to last year Microsoft EMET will be used to make the exploitation of vulnerabilities more difficult. Whether more vulnerabilities will be found in EMET or if it simply present for the purpose mentioned above remains to be seen.

Further details of this year’s contest are available here. I will post again when the results of the contest are known and will include any highlights that we as users of the software present in the contest can look forward to being more secure and/or whether as a result of the contest more security features will be added.

Thank you.