Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2766 watchOS 4.1 1 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple Watch Publisher: Apple Operating System: Mobile Device Impact/Access: Root Compromise -- Remote with User Interaction Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13849 CVE-2017-13804 CVE-2017-13799 CVE-2017-13080 Reference: ESB-2017.2638 ESB-2017.2620 ESB-2017.2600 ESB-2017.2599 Original Bulletin: https://support.apple.com/en-au/HT208220 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-10-31-4 watchOS 4.1 watchOS 4.1 is now available and addresses the following: CoreText Available for: All Apple Watch models Impact: Processing a maliciously crafted text file may lead to an unexpected application termination Description: A denial of service issue was addressed through improved memory handling. CVE-2017-13849: Ro of SavSec Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved memory handling. CVE-2017-13799: an anonymous researcher StreamingZip Available for: All Apple Watch models Impact: A malicious zip file may be able modify restricted areas of the file system Description: A path handling issue was addressed with improved validation. CVE-2017-13804: @qwertyoruiopz at KJC Research Intl. S.R.L. Wi-Fi Available for: Apple Watch Series 1 and Apple Watch Series 2 Impact: An attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK) Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management. CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQJdBAEBCgBHFiEEcuX4rtoRe4X62yWlg6PvjDRstEYFAln4u8ApHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQg6PvjDRstEZo5xAA jTpaachkUVY+9IK5oKi1gR0QsjZJpbsVU6D18UxiborH6KGtKesBzP4Rp+a2rpwV 6pXfIZUftel/fnvKb6EL7r36jZdg+tCxvS+eNYb1BcbHgw7Z4jmbmHTw8NV3fQxQ GCdzvGhWm3C2saYPLrHBjBFZqpBPy55VNiZmJgvKEULUMdMSozWoKXeJ3r1bThgC m8GxhLiAPs+F9vTbWGOF/+hTPJrk8Lpej39JHPDg8TCXYWFEUDVvO0hIR/cAW9O0 9LgDzb9JimSUOjFKQ+ujjd//mrZUG59s3eX5ObJPLQCA91ERLWhEFX/KSnCRsFTc jIJExuCtYDHvL6a3nC72T/uNjlFvqafd9C+M+guIaKP+U5+5inDvqqJj+i4EOTQh KZSKE+m1PHf0IFn0JSlBIl6zwSKBXj5Tao3YBKjTgJfzBuNk3KUpzvufm8PDkRm3 j9GjURbXTomppOcAosH0j9Zx4DxMBjde/8/jYESKc/YnYyQ3naQgXvzpAEUf+/jO u0r6TXLOxOLDFtVZ3KHTpM6pX1tN+rjGtqflcPBWnXx7yz0j3Z1jNumGe1aeSKUJ oQ26Hr4VqsCplVZMXPoGYWt4ap96MZP/nN2PqeY8utGOHjHcFYix/DtzBWa5pZXR f/XPMkH1w9gHGkddcTeevQ7O5mk3c0zKItv0xACL32U= =QWYU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWfla9Ix+lLeg9Ub1AQgegw//UvjXWSfQG77G+yDEmsL2rlawVizP4AdL oWfbFiv47IKPit8l6ETusTO7UUpcziDEEixGEueAqbo6x5DljDYhCA+7NO//16Y0 44e+HaZuEQl5P4Ld2qBrFI8b9ZLtOqEHVEuCLpbeHwL9eyT9TsXTh/XkjwKcglvm bcPzdnX5dYl6Naj1uXlL3x+MvEncTCLONIPZ6YlgChqXt5V6zIwqVTRaltCeLE8Z TD6+UlkaPO8byblODgmh0g8hnTUTOBzAsO2mnpr/RCXK6z3xATXn5VZtHedGGZr9 RsIGKrvJvrUD/9k2gBLqo664O9ugJF+1wRRboPm+qLlgi8WNd00YRgBRYZJGiqJQ +oum1P7XODszbP0JYDME/FuUlvlB6JMWN4nhuIIFPKXU/3zny2AIUXmXgwMGnhN3 I8Mk2pSEmcCHYw3UHZgF+IynNTZ1mOLwoHbYRYLJrs+0M6sMWULprPq3WKpB5pZn nYdXCfxb19Hj8Aj/WkTRKHWspzm1Oc67/cJJ6yrnFXv+POktuoEqOpfc5rPAh2b9 S2lsNDQviTwOqoJTobh03K84L7TvkP7Q2K7Fbui2lOgeR65Z4nZmCwNKchl4mNTX r1a9qrxwylAPOeZRlfM8ayuMAcD/2Nq1H86XVnWZ2S+BBxeYkkChXvagBU6x5kiN 6yQVKbsNLls= =xq5n -----END PGP SIGNATURE-----