Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3916 APPLE-SA-2020-11-05-5 watchOS 5.3.9 9 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apple watchOS Publisher: Apple Operating System: Apple iOS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Root Compromise -- Unknown/Unspecified Access Privileged Data -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-27950 CVE-2020-27932 CVE-2020-27930 Reference: ESB-2020.3911 ESB-2020.3910 ESB-2020.3909 Original Bulletin: https://support.apple.com/en-us/HT211945 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-11-05-5 watchOS 5.3.9 watchOS 5.3.9 is now available and address the following issues. Information about the security content is also available at https://support.apple.com/HT211945. FontParser Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed Impact: Processing a maliciously crafted font may lead to arbitrary code execution. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory corruption issue was addressed with improved input validation. CVE-2020-27930: Google Project Zero Kernel Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed Impact: A malicious application may be able to disclose kernel memory. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A memory initialization issue was addressed. CVE-2020-27950: Google Project Zero Kernel Available for: Apple Watch Series 1, Apple Watch Series 2, Apple Watch Series 3, and Apple Watch Series 4 when paired to an iPhone with iOS 12 installed Impact: A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild. Description: A type confusion issue was addressed with improved state handling. CVE-2020-27932: Google Project Zero Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+kfXcACgkQZcsbuWJ6 jjD/gA//W+VZjhWdMTw/A7LYWyB3SIXul0iMBgLCcuMYXswI+SpDq25EPIXA+KpX PU3/mpnEu0uyNDkEQI/RW0FIzcvdLpKdJGBot0Fw0O2/NjslVtF5j3AuwCZgL7jP iON3SkRX5rM/LcGG2fzC4gLRlxnhfJl6qhlfPOlAhgvlFPjiv8XSj22kxzQFs9mP EpKb/w4R0QCdSeBSQi1CCap9YLIi6w52TGHp3IzgfKMEjOqmBKISFVnTbFFYBqNG z7xdquJLAw9y4WSDQk8q/uYc1lazd3QMn6ym+4K7HxQgVgrgt2QGUz5S9pDS3xVp zgNVf3VaonsYQZuw8LPhtp2hjQEjjIPhwiMm0UrLmijNbQrtDG4qwAR71oGDHmNk GuIiSvDDNiywvQ8pt8BvawUPm7lVwpcKLHtMBVEcmkGHV6PB5LS6NVYYjCcYP/vb zImPQO65+zYHAYvBc3Obth6M7FQIfHoZ2KHxMuufBgxfj2zywZsbKq3qEdv9Ynnr mgLhqpwMZ7aHrlaYG73DuLG3L19cUNNkzkdw+0gvIurAgeVJfTHKcObKi61w+rhx 0dA+xsz2Lwll8y//l5vl0kGWgV1kaonOdlTyZYnu/4ZsIxiZGnppQTyYig0Asvs0 9jP69mVPcbBDgycuJU4ylbz2llO9WxQ1FDD7sN47JXzFMn4gBPo= =zru3 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX6iQq+NLKJtyKPYoAQjHIA//aH3ubjhGagc2kU44wHrpwmbinUVtsZy6 mijR3HRTrECIwTXmbpHcNpOdFP8ZXAcHUhd0EwF2N/usO8DW1nH/JzH3F5qVcfSv NPBbMCfdwa31fEP8K1bPRywcnHWYrUGZNlpLp1AjQB1T4R46YJKxGl0e2X0dULJT WXvi9CxAhXOHdgWyqZ22pcyxk9EMZVxgT8X7P/UxlajOMIZUBElRNQeV2i+ozxNm X+/dsoPF6G7JvIkxqwPTFpjnZbN87VDH78HueoQAftj11czO2wmIH6xBNdlwhqXf Cc2ozTab+YNfGi2M53HPxR02JKwb9uVywCrJR/LVJR3GEElyzfTgZaXVLSTiWwPL mUjTND9dduSpHMAQ4JvFZ0lZYOGzNuTfGaTLWUabI5TcJwHbls5mnwR3Ugww3EdR getTOseS6crRhLHCX+zZayuG4u4G+9o/NF83w49WkpGWYqughpD3XhyX/iSt1RHP IK6/qIMwjYsk5aiyfYdqrrkdc2GAA/HcuX4Z5N0O69twlcB01VeES0+vYRa0YQ0I Z6ccj0Nnwi04HNf+FcdKqJ6+RyOoI1rsFqe9bGbCVA4fOC5VH0ywNk/xiFmR9ktT jMvdOzrhJRkw7AHbqwNZUGfL7/Wc7OR9Yw+JubmQSa2riyr+YNpV+V8HMk+ixGlb QLwfpbZz7J8= =nDo4 -----END PGP SIGNATURE-----