Operating System:

[Apple iOS]

Published:

09 November 2020

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2020.3916 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3916
                    APPLE-SA-2020-11-05-5 watchOS 5.3.9
                              9 November 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apple watchOS
Publisher:         Apple
Operating System:  Apple iOS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Root Compromise                 -- Unknown/Unspecified         
                   Access Privileged Data          -- Unknown/Unspecified         
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27950 CVE-2020-27932 CVE-2020-27930

Reference:         ESB-2020.3911
                   ESB-2020.3910
                   ESB-2020.3909

Original Bulletin: 
   https://support.apple.com/en-us/HT211945

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2020-11-05-5 watchOS 5.3.9

watchOS 5.3.9 is now available and address the following issues.
Information about the security content is also available at
https://support.apple.com/HT211945.

FontParser
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple
Watch Series 3, and Apple Watch Series 4 when paired to an iPhone
with iOS 12 installed
Impact: Processing a maliciously crafted font may lead to arbitrary
code execution. Apple is aware of reports that an exploit for this
issue exists in the wild.
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27930: Google Project Zero

Kernel
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple
Watch Series 3, and Apple Watch Series 4 when paired to an iPhone
with iOS 12 installed
Impact: A malicious application may be able to disclose kernel
memory. Apple is aware of reports that an exploit for this issue
exists in the wild.
Description: A memory initialization issue was addressed.
CVE-2020-27950: Google Project Zero

Kernel
Available for: Apple Watch Series 1, Apple Watch Series 2, Apple
Watch Series 3, and Apple Watch Series 4 when paired to an iPhone
with iOS 12 installed
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges. Apple is aware of reports that an exploit for
this issue exists in the wild.
Description: A type confusion issue was addressed with improved state
handling.
CVE-2020-27932: Google Project Zero

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+kfXcACgkQZcsbuWJ6
jjD/gA//W+VZjhWdMTw/A7LYWyB3SIXul0iMBgLCcuMYXswI+SpDq25EPIXA+KpX
PU3/mpnEu0uyNDkEQI/RW0FIzcvdLpKdJGBot0Fw0O2/NjslVtF5j3AuwCZgL7jP
iON3SkRX5rM/LcGG2fzC4gLRlxnhfJl6qhlfPOlAhgvlFPjiv8XSj22kxzQFs9mP
EpKb/w4R0QCdSeBSQi1CCap9YLIi6w52TGHp3IzgfKMEjOqmBKISFVnTbFFYBqNG
z7xdquJLAw9y4WSDQk8q/uYc1lazd3QMn6ym+4K7HxQgVgrgt2QGUz5S9pDS3xVp
zgNVf3VaonsYQZuw8LPhtp2hjQEjjIPhwiMm0UrLmijNbQrtDG4qwAR71oGDHmNk
GuIiSvDDNiywvQ8pt8BvawUPm7lVwpcKLHtMBVEcmkGHV6PB5LS6NVYYjCcYP/vb
zImPQO65+zYHAYvBc3Obth6M7FQIfHoZ2KHxMuufBgxfj2zywZsbKq3qEdv9Ynnr
mgLhqpwMZ7aHrlaYG73DuLG3L19cUNNkzkdw+0gvIurAgeVJfTHKcObKi61w+rhx
0dA+xsz2Lwll8y//l5vl0kGWgV1kaonOdlTyZYnu/4ZsIxiZGnppQTyYig0Asvs0
9jP69mVPcbBDgycuJU4ylbz2llO9WxQ1FDD7sN47JXzFMn4gBPo=
=zru3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX6iQq+NLKJtyKPYoAQjHIA//aH3ubjhGagc2kU44wHrpwmbinUVtsZy6
mijR3HRTrECIwTXmbpHcNpOdFP8ZXAcHUhd0EwF2N/usO8DW1nH/JzH3F5qVcfSv
NPBbMCfdwa31fEP8K1bPRywcnHWYrUGZNlpLp1AjQB1T4R46YJKxGl0e2X0dULJT
WXvi9CxAhXOHdgWyqZ22pcyxk9EMZVxgT8X7P/UxlajOMIZUBElRNQeV2i+ozxNm
X+/dsoPF6G7JvIkxqwPTFpjnZbN87VDH78HueoQAftj11czO2wmIH6xBNdlwhqXf
Cc2ozTab+YNfGi2M53HPxR02JKwb9uVywCrJR/LVJR3GEElyzfTgZaXVLSTiWwPL
mUjTND9dduSpHMAQ4JvFZ0lZYOGzNuTfGaTLWUabI5TcJwHbls5mnwR3Ugww3EdR
getTOseS6crRhLHCX+zZayuG4u4G+9o/NF83w49WkpGWYqughpD3XhyX/iSt1RHP
IK6/qIMwjYsk5aiyfYdqrrkdc2GAA/HcuX4Z5N0O69twlcB01VeES0+vYRa0YQ0I
Z6ccj0Nnwi04HNf+FcdKqJ6+RyOoI1rsFqe9bGbCVA4fOC5VH0ywNk/xiFmR9ktT
jMvdOzrhJRkw7AHbqwNZUGfL7/Wc7OR9Yw+JubmQSa2riyr+YNpV+V8HMk+ixGlb
QLwfpbZz7J8=
=nDo4
-----END PGP SIGNATURE-----