Home / mailings APPLE-SA-01-22-2024-9 tvOS 17.3
Posted on 23 January 2024
Apple Security-announceAPPLE-SA-01-22-2024-9 tvOS 17.3
tvOS 17.3 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/kb/HT214055.
Apple maintains a Security Updates page at
https://support.apple.com/HT201222 which lists recent
software updates with security advisories.
Apple Neural Engine
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23212: Ye Zhang of Baidu Security
CoreCrypto
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5
ciphertexts without having the private key
Description: A timing side-channel issue was addressed with improvements
to constant-time computation in cryptographic functions.
CVE-2024-23218: Clemens Lang
Kernel
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to execute arbitrary code with kernel
privileges
Description: The issue was addressed with improved memory handling.
CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team of
Legendsec at QI-ANXIN Group
NSSpellChecker
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to access sensitive user data
Description: A privacy issue was addressed with improved handling of
files.
CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)
TCC
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to access user-sensitive data
Description: An issue was addressed with improved handling of temporary
files.
CVE-2024-23215: Zhongquan Li (@Guluisacat)
Time Zone
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: An app may be able to view a user's phone number in system logs
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: A maliciously crafted webpage may be able to fingerprint the
user
Description: An access issue was addressed with improved access
restrictions.
WebKit Bugzilla: 262699
CVE-2024-23206: an anonymous researcher
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing web content may lead to arbitrary code execution
Description: The issue was addressed with improved memory handling.
WebKit Bugzilla: 266619
CVE-2024-23213: Wangtaiyu of Zhongfu info
WebKit
Available for: Apple TV HD and Apple TV 4K (all models)
Impact: Processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may have been
exploited.
Description: A type confusion issue was addressed with improved checks.
WebKit Bugzilla: 267134
CVE-2024-23222
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting "Settings ->
System -> Software Update -> Update Software." To check the current
version of software, select "Settings -> General -> About."
All information is also posted on the Apple Security Updates
web site: https://support.apple.com/en-us/HT201222.
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
