Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0409
APPLE-SA-2022-01-26-6 watchOS 8.4
28 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: watchOS 8.4
Publisher: Apple
Operating System: Apple iOS
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Root Compromise -- Unknown/Unspecified
Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22594 CVE-2022-22593 CVE-2022-22592
CVE-2022-22590 CVE-2022-22589 CVE-2022-22585
CVE-2022-22584 CVE-2022-22578
Reference: ESB-2022.0407
ESB-2022.0406
ESB-2022.0401
ESB-2022.0400
ESB-2022.0399
Original Bulletin:
https://support.apple.com/en-us/HT213059
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2022-01-26-6 watchOS 8.4
watchOS 8.4 addresses the following issues.
Information about the security content is also available at
https://support.apple.com/HT213059.
ColorSync
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed with improved
validation.
CVE-2022-22584: Mickey Jin (@patch1t) of Trend Micro
Crash Reporter
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to gain root privileges
Description: A logic issue was addressed with improved validation.
CVE-2022-22578: an anonymous researcher
iCloud
Available for: Apple Watch Series 3 and later
Impact: An application may be able to access a user's files
Description: An issue existed within the path validation logic for
symlinks. This issue was addressed with improved path sanitization.
CVE-2022-22585: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab
(https://xlab.tencent.com)
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to execute arbitrary code
with kernel privileges
Description: A buffer overflow issue was addressed with improved
memory handling.
CVE-2022-22593: Peter Nguyá»\x{133}n VÅ© Hoàng of STAR Labs
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2022-22590: Toan Pham from Team Orca of Sea Security
(security.sea.com)
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may prevent
Content Security Policy from being enforced
Description: A logic issue was addressed with improved state
management.
CVE-2022-22592: Prakash (@1lastBr3ath)
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted mail message may lead to
running arbitrary javascript
Description: A validation issue was addressed with improved input
sanitization.
CVE-2022-22589: Heige of KnownSec 404 Team (knownsec.com) and Bo Qu
of Palo Alto Networks (paloaltonetworks.com)
WebKit Storage
Available for: Apple Watch Series 3 and later
Impact: A website may be able to track sensitive user information
Description: A cross-origin issue in the IndexDB API was addressed
with improved input validation.
CVE-2022-22594: Martin Bajanik of FingerprintJS
Additional recognition
WebKit
We would like to acknowledge Prakash (@1lastBr3ath) for their
assistance.
Installation note:
Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641
To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".
Alternatively, on your watch, select "My Watch > General > About".
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEePiLW1MrMjw19XzoeC9qKD1prhgFAmHx1EsACgkQeC9qKD1p
rhjBEw//T3hH2N6vYXFcWWk5QghcWMWGnacDNTlkcYKNdGP8STbqHo62PyPIxDca
FnVobVePJqhiXULtoRn+WZ2PynkrH6FRmBeeNnbjk85mBoU8Xm0rMpz5IjX7kjfh
NvRCrnEKbRg8/702k2TvXK0n4dV7erYs+d4UKdA+e20OggtQldW2cmtTTBjCIq1X
+kjF8PF4di3esNNt1gI8c3zLwGw7BVyUkQqgKek7rBJzFt8m1hnOLh62giGOrf8j
D7UA6M3QAkiFF4+K2NU/t1PrdW7quUFszhO+NTdvx+9VCu7vFsPjIX1M1Rp7NllR
E+Y96PxMhjHVA2Re0+wPIK6R2QJ8aTc9VhZrotJyplmG2XyVWUS7sJxLrRP7Nwt9
ivuswd1Mg1RBeJDa8k5AX9+CqaFTbm0J82VVtts0mEtkdJYsRoviCCwRx4Kh41uE
hEUbVFUmR/fn+JVbV1IckeEcO1y/ge/m5I/PfxErZDqXgNuGtbdo6fyCNDi+D74i
9RkOnX/3T3kloifWCD+xGAbVeml1fnznrATIweeqMpStf7DWuDJGZWliQNdWaAVM
rW9wAkL73WndDuwf2A57zU6MPBigU+arO1EzgGWAUPfBIMhjE0wr8V18HSY0lDqJ
maEKhALSG7d0J/FBrfG9I9yH9DKoFxM79JkIZa+yF8qqhkrxesc=
=+J9t
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYfObqONLKJtyKPYoAQjUVQ//Zx8XP32QmW1TReL0Dc4yEep8lfYTO8KZ
zDV9GqRcRkkKT2c+2uJtdcgDkwKcKCvGan74LUTPD5z+TnGC8o/WI/6dDxUI7poX
RqHJHMkZGJCr/VHbUaDxAv8cxt5OmSSdCXeez7W4WHo6p12EiXTG4UF/knnfEmXs
jlv5XHjlUv7AW+XwxmRYKkuxztcFhijSCA2wW7Ks1UnN9s0VrFaw1L6doHY7ltJW
PmgK0YWlqMkvoCsIcRl48pMDy6HCufhSJtKhiIeij4wVrjeg4VeFsCn+j+zVIdpH
4ZVe1TPM0ao+9AM8Xtf5x6dmm5NDJiFtfQh2b2eWlwg8delLnxfUu1XArFylEZby
4YqTtsmThW73dW3zwcxk4M1Rg5/4aRR/z6tkIJJVaBrE+iPKhbeDCUukxQJa2BCf
VFeJ5ZtnkslCNd0w2z+i5lP8KdUwLY4iEGEavQ/WPxf3cZezD74jNF4Tv/WSukdZ
my6TmfoGbiZoGoXl+C0NPRgcCrT7kDXJH1wuD826qyC8Aeh33fui5gxJqpMryFXe
c/1tuAqeYrJ1NcwWe3rbraEfZHRp9U9eEC29i0H2vkethI4W8kAasBRsWdaUGbGQ
aQHqnin9vfYr5yQ1qToN/BXmCcGHqCj1lx1ZBX/inmWQ1sLWAqjIXK4TLUUV6XeX
g8hAaasRw1s=
=HjHR
-----END PGP SIGNATURE-----