Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0409 APPLE-SA-2022-01-26-6 watchOS 8.4 28 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: watchOS 8.4 Publisher: Apple Operating System: Apple iOS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Root Compromise -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2022-22594 CVE-2022-22593 CVE-2022-22592 CVE-2022-22590 CVE-2022-22589 CVE-2022-22585 CVE-2022-22584 CVE-2022-22578 Reference: ESB-2022.0407 ESB-2022.0406 ESB-2022.0401 ESB-2022.0400 ESB-2022.0399 Original Bulletin: https://support.apple.com/en-us/HT213059 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-01-26-6 watchOS 8.4 watchOS 8.4 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213059. ColorSync Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro Crash Reporter Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to gain root privileges Description: A logic issue was addressed with improved validation. CVE-2022-22578: an anonymous researcher iCloud Available for: Apple Watch Series 3 and later Impact: An application may be able to access a user's files Description: An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (https://xlab.tencent.com) Kernel Available for: Apple Watch Series 3 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2022-22593: Peter Nguyá»\x{133}n VÅ© Hoàng of STAR Labs WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2022-22590: Toan Pham from Team Orca of Sea Security (security.sea.com) WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may prevent Content Security Policy from being enforced Description: A logic issue was addressed with improved state management. CVE-2022-22592: Prakash (@1lastBr3ath) WebKit Available for: Apple Watch Series 3 and later Impact: Processing a maliciously crafted mail message may lead to running arbitrary javascript Description: A validation issue was addressed with improved input sanitization. CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu of Palo Alto Networks (paloaltonetworks.com) WebKit Storage Available for: Apple Watch Series 3 and later Impact: A website may be able to track sensitive user information Description: A cross-origin issue in the IndexDB API was addressed with improved input validation. CVE-2022-22594: Martin Bajanik of FingerprintJS Additional recognition WebKit We would like to acknowledge Prakash (@1lastBr3ath) for their assistance. Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHx1EsACgkQeC9qKD1p rhjBEw//T3hH2N6vYXFcWWk5QghcWMWGnacDNTlkcYKNdGP8STbqHo62PyPIxDca FnVobVePJqhiXULtoRn+WZ2PynkrH6FRmBeeNnbjk85mBoU8Xm0rMpz5IjX7kjfh NvRCrnEKbRg8/702k2TvXK0n4dV7erYs+d4UKdA+e20OggtQldW2cmtTTBjCIq1X +kjF8PF4di3esNNt1gI8c3zLwGw7BVyUkQqgKek7rBJzFt8m1hnOLh62giGOrf8j D7UA6M3QAkiFF4+K2NU/t1PrdW7quUFszhO+NTdvx+9VCu7vFsPjIX1M1Rp7NllR E+Y96PxMhjHVA2Re0+wPIK6R2QJ8aTc9VhZrotJyplmG2XyVWUS7sJxLrRP7Nwt9 ivuswd1Mg1RBeJDa8k5AX9+CqaFTbm0J82VVtts0mEtkdJYsRoviCCwRx4Kh41uE hEUbVFUmR/fn+JVbV1IckeEcO1y/ge/m5I/PfxErZDqXgNuGtbdo6fyCNDi+D74i 9RkOnX/3T3kloifWCD+xGAbVeml1fnznrATIweeqMpStf7DWuDJGZWliQNdWaAVM rW9wAkL73WndDuwf2A57zU6MPBigU+arO1EzgGWAUPfBIMhjE0wr8V18HSY0lDqJ maEKhALSG7d0J/FBrfG9I9yH9DKoFxM79JkIZa+yF8qqhkrxesc= =+J9t - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfObqONLKJtyKPYoAQjUVQ//Zx8XP32QmW1TReL0Dc4yEep8lfYTO8KZ zDV9GqRcRkkKT2c+2uJtdcgDkwKcKCvGan74LUTPD5z+TnGC8o/WI/6dDxUI7poX RqHJHMkZGJCr/VHbUaDxAv8cxt5OmSSdCXeez7W4WHo6p12EiXTG4UF/knnfEmXs jlv5XHjlUv7AW+XwxmRYKkuxztcFhijSCA2wW7Ks1UnN9s0VrFaw1L6doHY7ltJW PmgK0YWlqMkvoCsIcRl48pMDy6HCufhSJtKhiIeij4wVrjeg4VeFsCn+j+zVIdpH 4ZVe1TPM0ao+9AM8Xtf5x6dmm5NDJiFtfQh2b2eWlwg8delLnxfUu1XArFylEZby 4YqTtsmThW73dW3zwcxk4M1Rg5/4aRR/z6tkIJJVaBrE+iPKhbeDCUukxQJa2BCf VFeJ5ZtnkslCNd0w2z+i5lP8KdUwLY4iEGEavQ/WPxf3cZezD74jNF4Tv/WSukdZ my6TmfoGbiZoGoXl+C0NPRgcCrT7kDXJH1wuD826qyC8Aeh33fui5gxJqpMryFXe c/1tuAqeYrJ1NcwWe3rbraEfZHRp9U9eEC29i0H2vkethI4W8kAasBRsWdaUGbGQ aQHqnin9vfYr5yQ1qToN/BXmCcGHqCj1lx1ZBX/inmWQ1sLWAqjIXK4TLUUV6XeX g8hAaasRw1s= =HjHR -----END PGP SIGNATURE-----