About the security content of watchOS 2.0.1

This document describes the security content of watchOS 2.0.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

watchOS 2.0.1

  • Apple Pay

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Some cards may allow a terminal to retrieve limited recent transaction information when making a payment

    Description: The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality. This update additionally addresses the issue for Apple Watches manufactured with watchOS 2.

    CVE-ID

    CVE-2015-5916

  • Bom

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Unpacking a maliciously crafted archive may lead to arbitrary code execution

    Description: A file traversal vulnerability existed in the handling of CPIO archives. This issue was addressed through improved validation of metadata.

    CVE-ID

    CVE-2015-7006 : Mark Dowd at Azimuth Security

  • configd

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to elevate privileges

    Description: A heap based buffer overflow issue existed in the DNS client library. A local user with the ability to spoof responses from the local configd service may have been able to cause arbitrary code execution in DNS clients.

    CVE-ID

    CVE-2015-7015 : PanguTeam

  • CoreGraphics

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted image may lead to arbitrary code execution

    Description: A memory corruption issue existed in CoreGraphics. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-5925 : Apple

    CVE-2015-5926 : Apple

  • FontParser

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Viewing a document with a maliciously crafted font may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2015-5927 : Apple

    CVE-2015-5942

  • Grand Central Dispatch

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted package may lead to arbitrary code execution

    Description: A memory corruption issue existed in the handling of dispatch calls. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-6989 : Apple

  • ImageIO

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Viewing a maliciously crafted image file may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the parsing of image metadata. These issues was addressed through improved metadata validation.

    CVE-ID

    CVE-2015-5935 : Apple

    CVE-2015-5936 : Apple

    CVE-2015-5937 : Apple

    CVE-2015-5939 : Apple

  • IOAcceleratorFamily

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-6996 : Ian Beer of Google Project Zero

  • IOHIDFamily

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with kernel privileges

    Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-6974 : Luca Todesco (@qwertyoruiop)

  • mDNSResponder

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution

    Description: Multiple memory corruption issues existed in DNS data parsing. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2015-7987 : Alexandre Helie

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Published Date: