About the security content of watchOS 10.2

This document describes the security content of watchOS 10.2.

About Apple security updates

For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security releases page.

Apple security documents reference vulnerabilities by CVE-ID when possible.

For more information about security, see the Apple Product Security page.

watchOS 10.2

Released December 11, 2023

Accessibility

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42937: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Entry added January 22, 2024

Accounts

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: A privacy issue was addressed with improved private data redaction for log entries.

CVE-2023-42919: Kirin (@Pwnrin)

ImageIO

Available for: Apple Watch Series 4 and later

Impact: Processing an image may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

CVE-2023-42898: Zhenjiang Zhao of Pangu Team, Qianxin and Junsung Lee

CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Entry updated March 22, 2024

ImageIO

Available for: Apple Watch Series 4 and later

Impact: Processing a maliciously crafted image may result in disclosure of process memory

Description: The issue was addressed with improved checks.

CVE-2023-42888: Michael DePlante (@izobashi) of Trend Micro Zero Day Initiative

Entry added January 22, 2024

Kernel

Available for: Apple Watch Series 4 and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improved memory handling.

CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv (@Synacktiv)

Libsystem

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access protected user data

Description: A permissions issue was addressed by removing vulnerable code and adding additional checks.

CVE-2023-42893

Entry added March 22, 2024

Sandbox

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access user-sensitive data

Description: This issue was addressed with improved redaction of sensitive information.

CVE-2023-42936: Csaba Fitzl (@theevilbit) of OffSec

Entry added March 22, 2024, updated July 16, 2024

TCC

Available for: Apple Watch Series 4 and later

Impact: An app may be able to break out of its sandbox

Description: A path handling issue was addressed with improved validation.

CVE-2023-42947: Zhongquan Li (@Guluisacat) of Dawn Security Lab of JingDong

Entry added March 22, 2024

Transparency

Available for: Apple Watch Series 4 and later

Impact: An app may be able to access sensitive user data

Description: The issue was addressed with improved restriction of data container access.

CVE-2023-40389: Csaba Fitzl (@theevilbit) of Offensive Security and Joshua Jewett (@JoshJewett33)

Entry added July 16, 2024

WebKit

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 259830

CVE-2023-42890: Pwn2car

WebKit

Available for: Apple Watch Series 4 and later

Impact: Processing an image may lead to a denial-of-service

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 263349

CVE-2023-42883: Zoom Offensive Security Team

WebKit

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: An out-of-bounds read was addressed with improved input validation.

WebKit Bugzilla: 265041

CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Description: A memory corruption vulnerability was addressed with improved locking.

WebKit Bugzilla: 265067

CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

WebKit

Available for: Apple Watch Series 4 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit Bugzilla: 263682

CVE-2023-42950: Nan Wang (@eternalsakura13) of 360 Vulnerability Research Institute and rushikesh nandedka

Entry added March 22, 2024

Additional recognition

Wi-Fi

We would like to acknowledge Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab) for their assistance.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: