About the security content of watchOS 2.1

This document describes the security content of watchOS 2.1.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other security updates, see Apple security updates.

watchOS 2.1

  • AppSandbox

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may maintain access to Contacts after having access revoked

    Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox.

    CVE-ID

    CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt

  • Compression

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams.

    CVE-ID

    CVE-2015-7054 : j00ru

  • CoreGraphics

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.

    CVE-ID

    CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team

  • CoreMedia Playback

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of malformed media files. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7075

  • dyld

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A segment validation issue existed in dyld. This was addressed through improved environment sanitization.

    CVE-ID

    CVE-2015-7072 : Apple

  • FontParser

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero Day Initiative

  • GasGauge

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-6979 : PanguTeam

  • ImageIO

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted image may lead to arbitrary code execution

    Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7053 : Apple

  • IOHIDFamily

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7111 : beist and ABH of BoB

    CVE-2015-7112 : Ian Beer of Google Project Zero

  • IOKit SCSI

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with kernel privileges

    Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation.

    CVE-ID

    CVE-2015-7068 : Ian Beer of Google Project Zero

  • Kernel

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A local application may be able to cause a denial of service

    Description: Multiple denial of service issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team

    CVE-2015-7043 : Tarjei Mandt (@kernelpool)

  • Kernel

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages.

    CVE-ID

    CVE-2015-7047 : Ian Beer of Google Project Zero

  • Kernel

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A local user may be able to execute arbitrary code with kernel privileges

    Description: Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7083 : Ian Beer of Google Project Zero

    CVE-2015-7084 : Ian Beer of Google Project Zero

  • LaunchServices

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application may be able to execute arbitrary code with system privileges

    Description: A memory corruption issue existed in the processing of malformed plists. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7113 : Olivier Goguel of Free Tools Association

  • libarchive

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: A memory corruption issue existed in the processing of archives. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2011-2895 : @practicalswift

  • libc

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted package may lead to arbitrary code execution

    Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds checking.

    CVE-ID

    CVE-2015-7038 : Brian D. Wells of E. W. Scripps, Narayan Subramanian of Symantec Corporation/Veritas LLC

    CVE-2015-7039 : Maksymilian Arciemowicz (CXSECURITY.COM)

    Entry updated March 3, 2017

  • mDNSResponder

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A local application may be able to cause a denial of service

    Description: A null pointer dereference issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7988 : Alexandre Helie

  • OpenGL

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in OpenGL. These issues were addressed through improved memory handling.

    CVE-ID

    CVE-2015-7064 : Apple

    CVE-2015-7066 : Tongbo Luo and Bo Qu of Palo Alto Networks

  • Sandbox

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A malicious application with root privileges may be able to bypass kernel address space layout randomization

    Description: An insufficient privilege separation issue existed in xnu. This issue was addressed by improved authorization checks.

    CVE-ID

    CVE-2015-7046 : Apple

  • Security

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A memory corruption issue existed in handling SSL handshakes. This issue was addressed through improved memory handling.

    CVE-ID

    CVE-2015-7073 : Benoit Foucher of ZeroC, Inc.

  • Security

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution

    Description: Multiple memory corruption issues existed in the ASN.1 decoder. These issues were addressed through improved input validation

    CVE-ID

    CVE-2015-7059 : David Keeler of Mozilla

    CVE-2015-7060 : Tyson Smith of Mozilla

    CVE-2015-7061 : Ryan Sleevi of Google

  • Security

    Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes

    Impact: A trust evaluation configured to require revocation checking may succeed even if revocation checking fails

    Description: The kSecRevocationRequirePositiveResponse flag was specified but not implemented. This issue was addressed by implementing the flag.

    CVE-ID

    CVE-2015-6997 : Apple

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Contact the vendor for additional information.

Data publicării: