Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2462 watchOS 2 22 September 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple Watch Publisher: Apple Operating System: Mobile Device Impact/Access: Administrator Compromise -- Remote with User Interaction Root Compromise -- Existing Account Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2015-5919 CVE-2015-5918 CVE-2015-5916 CVE-2015-5912 CVE-2015-5903 CVE-2015-5899 CVE-2015-5898 CVE-2015-5896 CVE-2015-5895 CVE-2015-5885 CVE-2015-5882 CVE-2015-5876 CVE-2015-5874 CVE-2015-5869 CVE-2015-5868 CVE-2015-5863 CVE-2015-5862 CVE-2015-5848 CVE-2015-5847 CVE-2015-5846 CVE-2015-5845 CVE-2015-5844 CVE-2015-5843 CVE-2015-5842 CVE-2015-5841 CVE-2015-5840 CVE-2015-5839 CVE-2015-5837 CVE-2015-5834 CVE-2015-5829 CVE-2015-5824 CVE-2015-5748 CVE-2015-5523 CVE-2015-5522 CVE-2015-1205 CVE-2014-8146 CVE-2013-3951 Reference: ASB-2015.0011 ESB-2015.2428 ESB-2015.2426 ESB-2015.2113 ESB-2015.2002 ESB-2015.1892 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-09-21-1 watchOS 2 watchOS 2 is now available and addresses the following: Apple Pay Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Some cards may allow a terminal to retrieve limited recent transaction information when making a payment Description: The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality. CVE-ID CVE-2015-5916 Audio Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Playing a malicious audio file may lead to an unexpected application termination Description: A memory corruption issue existed in the handling of audio files. This issue issue was addressed through improved memory handling. CVE-ID CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.: Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea Certificate Trust Policy Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at https://support.apple.com/en- us/HT204873. CFNetwork Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: An attacker with a privileged network position may intercept SSL/TLS connections Description: A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation. CVE-ID CVE-2015-5824 : Timothy J. Wood of The Omni Group CFNetwork Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Connecting to a malicious web proxy may set malicious cookies for a website Description: An issue existed in the handling of proxy connect responses. This issue was addressed by removing the set-cookie header while parsing the connect response. CVE-ID CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University CFNetwork Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: An attacker in a privileged network position can track a user's activity Description: A cross-domain cookie issue existed in the handling of top level domains. The issue was address through improved restrictions of cookie creation CVE-ID CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua University CFNetwork Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Malicious FTP servers may be able to cause the client to perform reconnaissance on other hosts Description: An issue existed in FTP clients while checking when proxy was in use. This issue was resolved through improved validation. CVE-ID CVE-2015-5912 : Amit Klein CFNetwork Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A person with physical access to an iOS device may read cache data from Apple apps Description: Cache data was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the cache data with a key protected by the hardware UID and the user's passcode. CVE-ID CVE-2015-5898 : Andreas Kurtz of NESO Security Labs CoreCrypto Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: An attacker may be able to determine a private key Description: By observing many signing or decryption attempts, an attacker may have been able to determine the RSA private key. This issue was addressed using improved encryption algorithms. CoreText Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team Data Detectors Engine Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Processing a maliciously crafted text file may lead to arbitrary code execution Description: Memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-5829 : M1x7e1 of Safeye Team (www.safeye.org) Dev Tools Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in dyld. This was addressed through improved memory handling. CVE-ID CVE-2015-5876 : beist of grayhash dyld Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: An application may be able to bypass code signing Description: An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5839 : @PanguTeam, TaiG Jailbreak Team Disk Images Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in DiskImages. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5847 : Filippo Bigarella, Luca Todesco GasGauge Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5918 : Apple CVE-2015-5919 : Apple ICU Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Multiple vulnerabilities in ICU Description: Multiple vulnerabilities existed in ICU versions prior to 53.1.0. These issues were addressed by updating ICU to version 55.1. CVE-ID CVE-2014-8146 CVE-2015-1205 IOAcceleratorFamily Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5834 : Cererdlong of Alibaba Mobile Security Team IOAcceleratorFamily Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5848 : Filippo Bigarella IOKit Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5844 : Filippo Bigarella CVE-2015-5845 : Filippo Bigarella CVE-2015-5846 : Filippo Bigarella IOMobileFrameBuffer Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOMobileFrameBuffer. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5843 : Filippo Bigarella IOStorageFamily Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local attacker may be able to read kernel memory Description: A memory initialization issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5863 : Ilja van Sprundel of IOActive Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team CVE-2015-5896 : Maxime Villard of m00nbsd CVE-2015-5903 : CESG Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local attacker may control the value of stack cookies Description: Multiple weaknesses existed in the generation of user space stack cookies. This was addressed through improved generation of stack cookies. CVE-ID CVE-2013-3951 : Stefan Esser Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local process can modify other processes without entitlement checks Description: An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through added entitlement checks. CVE-ID CVE-2015-5882 : Pedro Vilaca, working from original research by Ming- chieh Pan and Sung-ting Tsai; Jonathan Levin Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: An attacker in a local LAN segment may disable IPv6 routing Description: An insufficient validation issue existed in handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit. CVE-ID CVE-2015-5869 : Dennis Spindel Ljungmark Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to determine kernel memory layout Description: An issue existed in XNU that led to the disclosure of kernel memory. This was addressed through improved initialization of kernel memory structures. CVE-ID CVE-2015-5842 : beist of grayhash Kernel Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to cause a system denial of service Description: An issue existed in HFS drive mounting. This was addressed by additional validation checks. CVE-ID CVE-2015-5748 : Maxime Villard of m00nbsd libpthread Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team PluginKit Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: A malicious enterprise application can install extensions before the application has been trusted Description: An issue existed in the validation of extensions during installation. This was addressed through improved app verification. CVE-ID CVE-2015-5837 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei of FireEye, Inc. removefile Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Processing malicious data may lead to unexpected application termination Description: An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines. CVE-ID CVE-2015-5840 : an anonymous researcher SQLite Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Multiple vulnerabilities in SQLite v3.8.5 Description: Multiple vulnerabilities existed in SQLite v3.8.5. These issues were addressed by updating SQLite to version 3.8.10.2. CVE-ID CVE-2015-5895 tidy Available for: Apple Watch Sport, Apple Watch, and Apple Watch Edition Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in Tidy. This issues was addressed through improved memory handling. CVE-ID CVE-2015-5522 : Fernando Munoz of NULLGroup.com CVE-2015-5523 : Fernando Munoz of NULLGroup.com Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/en-us/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWAD3JAAoJEBcWfLTuOo7tqhIP+wbrK4nNIHsCMFxr+c3JyvLQ QFIsKBJwODOwx8HXF7IVx5qOTUMooR+r2uCtpnB9tdhHeCKE4wl4IjJRKtNmuKo8 cpCJP5jBDk1JGlms7htP9umRwa+J6o5BMiqJRYJWfUZKt5M180F1LwQRo5EexTYm oWoDLwqNXU8gl6xXFNVNsWDtgvhalpT1eTYj2WDts0lnS9lnaTQIBipIlcH+9T8M jOxZAaogwdN7F1WIP+DnoEI8f1rBPgq+WCY9hzYnRzIt8D7QPU3A9UVMPXRptlYD AUA5oynybu+72mlauHL4iZ4RJEMDQNDvCX0F3oDjJv9NxDnrNTYdVXor8IYffkXm u9byknmIKTwxR+FtMk7kS//C2PV8SGfigkvaYQt3OLEa3FeqwIl8+qtVF059QeBL WrBz0hcfOiB0mcm4CpDdtkNZCwROgyMgPv3vK5WqvcIDUe2rmCAP9XIuEgZDriCk U9A7pEwbcRaV3G9G9zCPQOxnXv/Ko2xjZPLEtcNvwBkel4Dd5nRQ5S7yyWF977Ds fx1pzFRtXDCTbjwDDN1XM78IV++nz8xQnaqh193Oq4a+GN3XeM70uE+dNpeOJiQh E/Cp9KI563FhoaZSR/01iiK8DD+YT/d6SnkWq02joP4VGvEpNzZ5Tv/68Peaw/QX W3j/7Rzc/PjuOCP0lDSI =PAVo - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVgCtwX6ZAP0PgtI9AQJIog//dI2DrIeZtD6ZMl6Yk9PmmWToZwMRIL+s R3C5UVwMx5Nlm/jNPbAQ3YTKkynMU5CMyXeKmjKcxx708RJnFHerwFDG2ID846ZO r8J2p5AUZlUiWW5lH3+GQg1oAfrs9cM07dHr0c801FtP5Rr9KoF5PMW4yBACpXGx DVIkIBwgFPJQDKtzdzRLSGH8DHxlWJNZ+ayOld+7R0Am4ZCN/z3ooRgvuRzVSB9V rUtPlTiqkpqTZCOJmnNO36IZCRg7ucmkOGzmpbplgGqFa5Kd+pTwL071g7laFgBO JYe0NcJKo4epHOw+sGE7Ir9dPFRpKsDoMwho7/3qc80uH98Zv7kZdAq+lmZd/dmu ZhhYMz6BNjTPORfnFu2fYCLCqilytPXX4uK2SWvctv5oU3WZrhIyPYnmy1yGydIW Qma+DiGeooHTQyWfDvJp/0/Kp2ZyrzP5a5RGMwlx5+dC5gVkBOhEVXlfKcmkAbGP KE0tOps7E7LChkWwk3xZOpAhCDDM1WTJlPRWqoJw7UVDAuLHOXx4FeK7ZqoC5Jg9 VwMIh8B0PhGGeuIpBLjrMaSyY/YqJPkwOVllzPIbMDxLLz9kfox9g/34/2VzY906 OuT/sqgHBDxbU+9sD8ybXqfFSPsMS/FOp7xcwMpXMPG5+PGt9TkRLQ0qbgvTvkAs KY5ZUsGsLEQ= =/qmu -----END PGP SIGNATURE-----