About the security content of watchOS 2.1
This document describes the security content of watchOS 2.1.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.
watchOS 2.1
AppSandbox
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may maintain access to Contacts after having access revoked
Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.
CVE-ID
CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt
Compression
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.
CVE-ID
CVE-2015-7054 : j00ru
CoreGraphics
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
CVE-ID
CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team
CoreMedia Playback
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of malformed media files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7075
dyld
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A segment validation issue existed in dyld. This was addressed through improved environment sanitization.
CVE-ID
CVE-2015-7072 : Apple
FontParser
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero Day Initiative
GasGauge
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-6979 : PanguTeam
ImageIO
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted image may lead to arbitrary code execution
Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7053 : Apple
IOHIDFamily
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-7111 : beist and ABH of BoB
CVE-2015-7112 : Ian Beer of Google Project Zero
IOKit SCSI
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.
CVE-ID
CVE-2015-7068 : Ian Beer of Google Project Zero
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local application may be able to cause a denial of service
Description: Multiple denial of service issues were addressed through improved memory handling.
CVE-ID
CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team
CVE-2015-7043 : Tarjei Mandt (@kernelpool)
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with kernel privileges
Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.
CVE-ID
CVE-2015-7047 : Ian Beer of Google Project Zero
Kernel
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local user may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-7083 : Ian Beer of Google Project Zero
CVE-2015-7084 : Ian Beer of Google Project Zero
LaunchServices
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue existed in the processing of malformed plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7113 : Olivier Goguel of Free Tools Association
libarchive
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.
CVE-ID
CVE-2011-2895 : @practicalswift
libc
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted package may lead to arbitrary code execution
Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.
CVE-ID
CVE-2015-7038 : Brian D. Wells of E. W. Scripps, Narayan Subramanian of Symantec Corporation/Veritas LLC
CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)
Entry updated March 3, 2017
mDNSResponder
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local application may be able to cause a denial of service
Description: A null pointer dereference issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7988 : Alexandre Helie
OpenGL
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Visiting a maliciously crafted website may lead to arbitrary code execution
Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-7064 : Apple
CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks
Sandbox
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization
Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.
CVE-ID
CVE-2015-7046 : Apple
Security
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.
Security
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution
Description: Multiple memory corruption issues existed in the ASN.1 decoder. These issues were addressed through improved input validation
CVE-ID
CVE-2015-7059 : David Keeler of Mozilla
CVE-2015-7060 : Tyson Smith of Mozilla
CVE-2015-7061 : Ryan Sleevi of Google
Security
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A trust evaluation configured to require revocation checking may succeed even if revocation checking fails
Description: The kSecRevocationRequirePositiveResponse flag was specified but not implemented. This issue was addressed by implementing the flag.
CVE-ID
CVE-2015-6997 : Apple
Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.