About the security content of watchOS 5.3
This document describes the security content of watchOS 5.3.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss or confirm security issues until an investigation has taken place and patches or releases are available. Recent releases are listed on the Apple security updates page.
Apple security documents reference vulnerabilities by CVE-ID when possible.
For more information about security, see the Apple Product Security page.
watchOS 5.3
Bluetooth
Available for: Apple Watch Series 1 and later
Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic (Key Negotiation of Bluetooth – KNOB)
Description: An input validation issue existed in Bluetooth. This issue was addressed with improved input validation.
CVE-2019-9506: Daniele Antonioli of SUTD, Singapore, Dr. Nils Ole Tippenhauer of CISPA, Germany and Prof. Kasper Rasmussen of University of Oxford, England
The changes for this issue mitigate CVE-2020-10135.
Core Data
Available for: Apple Watch Series 1 and later
Impact: a remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8646: natashenka of Google Project Zero
Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2019-8647: Samuel Groß and natashenka of Google Project Zero
Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8660: Samuel Groß and natashenka of Google Project Zero
Digital Touch
Available for: Apple Watch Series 1 and later
Impact: a remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8624: natashenka of Google Project Zero
FaceTime
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause arbitrary code execution
Description: A memory corruption issue was addressed with improved input validation.
CVE-2019-8648: Tao Huang and Tielei Wang of Team Pangu
Heimdal
Available for: Apple Watch Series 1 and later
Impact: An issue existed in Samba that may allow attackers to perform unauthorised actions by intercepting communications between services
Description: This issue was addressed with improved checks to prevent unauthorised actions.
CVE-2018-16860: Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst
Image Processing
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A denial-of-service issue was addressed with improved validation.
CVE-2019-8668: an anonymous researcher
Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with improved input sanitisation.
CVE-2019-8633: Zhuo Liang of Qihoo 360 Vulcan Team
libxslt
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to view sensitive information
Description: A stack overflow was addressed with improved input validation.
CVE-2019-13118: found by OSS-Fuzz
Messages
Available for: Apple Watch Series 1 and later
Impact: Users removed from an iMessage conversation may still be able to alter state
Description: This issue was addressed with improved checks.
CVE-2019-8659: Ryan Kontos (@ryanjkontos), Will Christensen of University of Oregon
Messages
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may cause an unexpected application termination
Description: A denial-of-service issue was addressed with improved validation.
CVE-2019-8665: Michael Hernandez of XYZ Marketing
Quick Look
Available for: Apple Watch Series 1 and later
Impact: An attacker may be able to trigger a use-after-free in an application deserialising an untrusted NSDictionary
Description: This issue was addressed with improved checks.
CVE-2019-8662: natashenka and Samuel Groß of Google Project Zero
Siri
Available for: Apple Watch Series 1 and later
Impact: a remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8646: natashenka of Google Project Zero
UIFoundation
Available for: Apple Watch Series 1 and later
Impact: Parsing a maliciously crafted office document may lead to an unexpected application termination or arbitrary code execution
Description: an out-of-bounds read was addressed with improved input validation.
CVE-2019-8657: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative
Wallet
Available for: Apple Watch Series 1 and later
Impact: A user may inadvertently complete an in-app purchase while on the lock screen
Description: the issue was addressed with improved UI handling.
CVE-2019-8682: Jeff Braswell (JeffBraswell.com)
WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to universal cross-site scripting
Description: A logic issue was addressed with improved state management.
CVE-2019-8658: akayn working with Trend Micro's Zero Day Initiative
WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2019-8669: akayn working with Trend Micro's Zero Day Initiative
CVE-2019-8672: Samuel Groß of Google Project Zero
CVE-2019-8676: Soyeon Park and Wen Xu of SSLab at Georgia Tech
CVE-2019-8683: lokihardt of Google Project Zero
CVE-2019-8684: lokihardt of Google Project Zero
CVE-2019-8685: akayn, Dongzhuo Zhao working with ADLab of Venustech, Ken Wong (@wwkenwong) of VXRL, Anthony Lai (@darkfloyd1014) of VXRL and Eric Lung (@Khlung1) of VXRL
CVE-2019-8688: Insu Yun of SSLab at Georgia Tech
CVE-2019-8689: lokihardt of Google Project Zero
Additional recognition
MobileInstallation
We would like to acknowledge Dany Lisiansky (@DanyL931) for their assistance.
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.