Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3917
APPLE-SA-2020-11-05-4 watchOS 6.2.9
9 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apple watchOS
Publisher: Apple
Operating System: Apple iOS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Root Compromise -- Unknown/Unspecified
Access Privileged Data -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27950 CVE-2020-27932 CVE-2020-27930
Reference: ESB-2020.3911
ESB-2020.3910
ESB-2020.3909
ESB-2020.3916
Original Bulletin:
https://support.apple.com/en-us/HT211944
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2020-11-05-4 watchOS 6.2.9
watchOS 6.2.9 is now available and address the following issues.
Information about the security content is also available at
https://support.apple.com/HT211944.
FontParser
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted font may lead to arbitrary
code execution. Apple is aware of reports that an exploit for this
issue exists in the wild.
Description: A memory corruption issue was addressed with improved
input validation.
CVE-2020-27930: Google Project Zero
Kernel
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to disclose kernel
memory. Apple is aware of reports that an exploit for this issue
exists in the wild.
Description: A memory initialization issue was addressed.
CVE-2020-27950: Google Project Zero
Kernel
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges. Apple is aware of reports that an exploit for
this issue exists in the wild.
Description: A type confusion issue was addressed with improved state
handling.
CVE-2020-27932: Google Project Zero
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+kfmoACgkQZcsbuWJ6
jjB0bQ//ZJEfIJf5ybim8u7RXip2jBwJgvnsZ/0aJM9L1v0KOiMx5SLVaDNWvB2M
feEY1ac0ApCu2eQeWmBK0hhsu/KuafOBSaOFWh0dHejQElJH1P/t7U8LG9R9cRwk
rE1BRKRVnDRSV5E4EyvLmrRXB3ex93MkZpDlDjnbmvVm0Sum/aUWid8Ts3BAtvyh
uXZkY3fPxDnUkLI/DG+Em3exY4cT5t7BX0UVl6DbhQslFmOU4I7lZE0REocxpiMp
jI6Xs4DSRgdr1N3Q5oZfPxbi9ifVz0qb7W3SE3UHXDoiyjIZvYYPxwSGJsc+2tD9
3N0vhhQiQclOWIaGvLJ7FIXtdSu587rwk2qyRLPtahdRxuY6fy4CherO/wB1OJr1
0SGsaMVRAE8pPYEpJph8CqR4GU2omwqC+PhbfUSI22ELNDRRXoHNFvmFnmbdnodE
MVRi532sPRXhZtZjWXKb7hZAC8N4hLoSp/ZYhU9UxSk6uRqJWIxLoja4zKvoXv4b
78lOUvXUKNhlnv9NeiokpYtbdLYi9JlTQMcj0NJl5hnx8/6iA0vc62FgK9Q4V0zf
Dt/oLwW/KzoV/fNT+Yyf6/ezgFClVnkxmrTUTbOdKLhacsnwwhQRJQg4jJAcy91g
Gpc8Uj7iN5Kn1aVhvewaAh+CaKByx3LF46ZEI27n/Cw3C6SoVY8=
=hWJM
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX6iQx+NLKJtyKPYoAQi5Sw/+LdbIaz7h14vpS2e1aK/cZEDk9Wn4fgf/
LKRa9bv6EVc5OZWdoCTMC7qFbvc88G2vB8M9BWKhZGbyQogz3pxKUI5UylYHoKoz
+qEdXjJPFHnWjh5TZVyLc01t0/cRFboH/GdNyYEA24f8sM4MIMlXmuweg7mdeVtX
guRYlan3Tm3IkbDl5hWtvC1h5y++01r0lqU+DEA/nuq2Nlwi9aCCcMKp4eIe8lpz
lgkjGg4y9kArs7DRCbR+E+Jfr2bC33B/q0hSdQkP2NcBCWRkdm3J15by7gcvfABp
5iQNZTsm74iBc2EKuakhvzsp+FS/vhsRMXSOtVbK984O988ygTWGE4q8pj14lxZp
hU/mmS4Cec5AAKYrbaBEzO4WpXa5yn8kB9x5LXOySzReuuyD7Nqk5QsmgjUa1lgn
Cjola5cMVE5Av0SZIZpMD+KlzDjuiwBEZiKyN3e/RCLLFmOVo9jpSM3YYl/wLMyQ
Q8pnIk3r6zmEAJeW0MRVzozwK1Pj0pAZ68vqBvsoNVVqmb5Mz9A8w0pplCPxvxmw
A87zc2EAa4wS+mw04KVigvxsIqbRouH6lnFYImngaIaouNFG1gEriljnJxhjpP+1
OrLdHTJfhuCmmSwK+Alb8o2+Kknwgq31jEWWyusow+M02vlWF+W9XAtLdEj+L5QA
4JnBAFEue0g=
=GH9R
-----END PGP SIGNATURE-----