Operating System:

[Mobile]

Published:

22 September 2015

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2462
                                 watchOS 2
                             22 September 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apple Watch
Publisher:        Apple
Operating System: Mobile Device
Impact/Access:    Administrator Compromise       -- Remote with User Interaction
                  Root Compromise                -- Existing Account            
                  Access Privileged Data         -- Remote/Unauthenticated      
                  Modify Arbitrary Files         -- Existing Account            
                  Denial of Service              -- Remote/Unauthenticated      
                  Provide Misleading Information -- Remote with User Interaction
                  Reduced Security               -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2015-5919 CVE-2015-5918 CVE-2015-5916
                  CVE-2015-5912 CVE-2015-5903 CVE-2015-5899
                  CVE-2015-5898 CVE-2015-5896 CVE-2015-5895
                  CVE-2015-5885 CVE-2015-5882 CVE-2015-5876
                  CVE-2015-5874 CVE-2015-5869 CVE-2015-5868
                  CVE-2015-5863 CVE-2015-5862 CVE-2015-5848
                  CVE-2015-5847 CVE-2015-5846 CVE-2015-5845
                  CVE-2015-5844 CVE-2015-5843 CVE-2015-5842
                  CVE-2015-5841 CVE-2015-5840 CVE-2015-5839
                  CVE-2015-5837 CVE-2015-5834 CVE-2015-5829
                  CVE-2015-5824 CVE-2015-5748 CVE-2015-5523
                  CVE-2015-5522 CVE-2015-1205 CVE-2014-8146
                  CVE-2013-3951  

Reference:        ASB-2015.0011
                  ESB-2015.2428
                  ESB-2015.2426
                  ESB-2015.2113
                  ESB-2015.2002
                  ESB-2015.1892

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2015-09-21-1 watchOS 2

watchOS 2 is now available and addresses the following:

Apple Pay
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Some cards may allow a terminal to retrieve limited recent
transaction information when making a payment
Description:  The transaction log functionality was enabled in
certain configurations. This issue was addressed by removing the
transaction log functionality.
CVE-ID
CVE-2015-5916

Audio
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Playing a malicious audio file may lead to an unexpected
application termination
Description:  A memory corruption issue existed in the handling of
audio files. This issue issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5862 : YoungJin Yoon of Information Security Lab. (Adv.:
Prof. Taekyoung Kwon), Yonsei University, Seoul, Korea

Certificate Trust Policy
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete
list of certificates may be viewed at https://support.apple.com/en-
us/HT204873.

CFNetwork
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may intercept
SSL/TLS connections
Description:  A certificate validation issue existed in NSURL when a
certificate changed. This issue was addressed through improved
certificate validation.
CVE-ID
CVE-2015-5824 : Timothy J. Wood of The Omni Group

CFNetwork
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Connecting to a malicious web proxy may set malicious
cookies for a website
Description:  An issue existed in the handling of proxy connect
responses. This issue was addressed by removing the set-cookie header
while parsing the connect response.
CVE-ID
CVE-2015-5841 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University

CFNetwork
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker in a privileged network position can track a
user's activity
Description:  A cross-domain cookie issue existed in the handling of
top level domains. The issue was address through improved
restrictions of cookie creation
CVE-ID
CVE-2015-5885 : Xiaofeng Zheng of Blue Lotus Team, Tsinghua
University

CFNetwork
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Malicious FTP servers may be able to cause the client to
perform reconnaissance on other hosts
Description:  An issue existed in FTP clients while checking when
proxy was in use. This issue was resolved through improved
validation.
CVE-ID
CVE-2015-5912 : Amit Klein

CFNetwork
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A person with physical access to an iOS device may read
cache data from Apple apps
Description:  Cache data was encrypted with a key protected only by
the hardware UID. This issue was addressed by encrypting the cache
data with a key protected by the hardware UID and the user's
passcode.
CVE-ID
CVE-2015-5898 : Andreas Kurtz of NESO Security Labs

CoreCrypto
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker may be able to determine a private key
Description:  By observing many signing or decryption attempts, an
attacker may have been able to determine the RSA private key. This
issue was addressed using improved encryption algorithms.

CoreText
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team

Data Detectors Engine
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Processing a maliciously crafted text file may lead to
arbitrary code execution
Description:  Memory corruption issues existed in the processing of
text files. These issues were addressed through improved bounds
checking.
CVE-ID
CVE-2015-5829 : M1x7e1 of Safeye Team (www.safeye.org)

Dev Tools
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in dyld. This was
addressed through improved memory handling.
CVE-ID
CVE-2015-5876 : beist of grayhash

dyld
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An application may be able to bypass code signing
Description:  An issue existed with validation of the code signature
of executables. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5839 : @PanguTeam, TaiG Jailbreak Team

Disk Images
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue existed in DiskImages. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5847 : Filippo Bigarella, Luca Todesco

GasGauge
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  Multiple memory corruption issues existed in the
kernel. These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-5918 : Apple
CVE-2015-5919 : Apple

ICU
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Multiple vulnerabilities in ICU
Description:  Multiple vulnerabilities existed in ICU versions prior
to 53.1.0. These issues were addressed by updating ICU to version
55.1.
CVE-ID
CVE-2014-8146
CVE-2015-1205

IOAcceleratorFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed that led to the disclosure of kernel
memory content. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5834 : Cererdlong of Alibaba Mobile Security Team

IOAcceleratorFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue existed in
IOAcceleratorFamily. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5848 : Filippo Bigarella

IOKit
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5844 : Filippo Bigarella
CVE-2015-5845 : Filippo Bigarella
CVE-2015-5846 : Filippo Bigarella

IOMobileFrameBuffer
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue existed in
IOMobileFrameBuffer. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5843 : Filippo Bigarella

IOStorageFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local attacker may be able to read kernel memory
Description:  A memory initialization issue existed in the kernel.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5863 : Ilja van Sprundel of IOActive

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5868 : Cererdlong of Alibaba Mobile Security Team
CVE-2015-5896 : Maxime Villard of m00nbsd
CVE-2015-5903 : CESG

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local attacker may control the value of stack cookies
Description:  Multiple weaknesses existed in the generation of user
space stack cookies. This was addressed through improved generation
of stack cookies.
CVE-ID
CVE-2013-3951 : Stefan Esser

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local process can modify other processes without
entitlement checks
Description:  An issue existed where root processes using the
processor_set_tasks API were allowed to retrieve the task ports of
other processes. This issue was addressed through added entitlement
checks.
CVE-ID
CVE-2015-5882 : Pedro Vilaca, working from original research by Ming-
chieh Pan and Sung-ting Tsai; Jonathan Levin

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker in a local LAN segment may disable IPv6 routing
Description:  An insufficient validation issue existed in handling of
IPv6 router advertisements that allowed an attacker to set the hop
limit to an arbitrary value. This issue was addressed by enforcing a
minimum hop limit.
CVE-ID
CVE-2015-5869 : Dennis Spindel Ljungmark

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to determine kernel memory layout
Description:  An issue existed in XNU that led to the disclosure of
kernel memory. This was addressed through improved initialization of
kernel memory structures.
CVE-ID
CVE-2015-5842 : beist of grayhash

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to cause a system denial of service
Description:  An issue existed in HFS drive mounting. This was
addressed by additional validation checks.
CVE-ID
CVE-2015-5748 : Maxime Villard of m00nbsd

libpthread
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A local user may be able to execute arbitrary code with
kernel privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5899 : Lufeng Li of Qihoo 360 Vulcan Team

PluginKit
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious enterprise application can install extensions
before the application has been trusted
Description:  An issue existed in the validation of extensions during
installation. This was addressed through improved app verification.
CVE-ID
CVE-2015-5837 : Zhaofeng Chen, Hui Xue, and Tao (Lenx) Wei of
FireEye, Inc.

removefile
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Processing malicious data may lead to unexpected application
termination
Description:  An overflow fault existed in the checkint division
routines. This issue was addressed with improved division routines.
CVE-ID
CVE-2015-5840 : an anonymous researcher

SQLite
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Multiple vulnerabilities in SQLite v3.8.5
Description:  Multiple vulnerabilities existed in SQLite v3.8.5.
These issues were addressed by updating SQLite to version 3.8.10.2.
CVE-ID
CVE-2015-5895

tidy
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Visiting a maliciously crafted website may lead to arbitrary
code execution
Description:  A memory corruption issue existed in Tidy. This issues
was addressed through improved memory handling.
CVE-ID
CVE-2015-5522 : Fernando Munoz of NULLGroup.com
CVE-2015-5523 : Fernando Munoz of NULLGroup.com


Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".


Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJWAD3JAAoJEBcWfLTuOo7tqhIP+wbrK4nNIHsCMFxr+c3JyvLQ
QFIsKBJwODOwx8HXF7IVx5qOTUMooR+r2uCtpnB9tdhHeCKE4wl4IjJRKtNmuKo8
cpCJP5jBDk1JGlms7htP9umRwa+J6o5BMiqJRYJWfUZKt5M180F1LwQRo5EexTYm
oWoDLwqNXU8gl6xXFNVNsWDtgvhalpT1eTYj2WDts0lnS9lnaTQIBipIlcH+9T8M
jOxZAaogwdN7F1WIP+DnoEI8f1rBPgq+WCY9hzYnRzIt8D7QPU3A9UVMPXRptlYD
AUA5oynybu+72mlauHL4iZ4RJEMDQNDvCX0F3oDjJv9NxDnrNTYdVXor8IYffkXm
u9byknmIKTwxR+FtMk7kS//C2PV8SGfigkvaYQt3OLEa3FeqwIl8+qtVF059QeBL
WrBz0hcfOiB0mcm4CpDdtkNZCwROgyMgPv3vK5WqvcIDUe2rmCAP9XIuEgZDriCk
U9A7pEwbcRaV3G9G9zCPQOxnXv/Ko2xjZPLEtcNvwBkel4Dd5nRQ5S7yyWF977Ds
fx1pzFRtXDCTbjwDDN1XM78IV++nz8xQnaqh193Oq4a+GN3XeM70uE+dNpeOJiQh
E/Cp9KI563FhoaZSR/01iiK8DD+YT/d6SnkWq02joP4VGvEpNzZ5Tv/68Peaw/QX
W3j/7Rzc/PjuOCP0lDSI
=PAVo
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVgCtwX6ZAP0PgtI9AQJIog//dI2DrIeZtD6ZMl6Yk9PmmWToZwMRIL+s
R3C5UVwMx5Nlm/jNPbAQ3YTKkynMU5CMyXeKmjKcxx708RJnFHerwFDG2ID846ZO
r8J2p5AUZlUiWW5lH3+GQg1oAfrs9cM07dHr0c801FtP5Rr9KoF5PMW4yBACpXGx
DVIkIBwgFPJQDKtzdzRLSGH8DHxlWJNZ+ayOld+7R0Am4ZCN/z3ooRgvuRzVSB9V
rUtPlTiqkpqTZCOJmnNO36IZCRg7ucmkOGzmpbplgGqFa5Kd+pTwL071g7laFgBO
JYe0NcJKo4epHOw+sGE7Ir9dPFRpKsDoMwho7/3qc80uH98Zv7kZdAq+lmZd/dmu
ZhhYMz6BNjTPORfnFu2fYCLCqilytPXX4uK2SWvctv5oU3WZrhIyPYnmy1yGydIW
Qma+DiGeooHTQyWfDvJp/0/Kp2ZyrzP5a5RGMwlx5+dC5gVkBOhEVXlfKcmkAbGP
KE0tOps7E7LChkWwk3xZOpAhCDDM1WTJlPRWqoJw7UVDAuLHOXx4FeK7ZqoC5Jg9
VwMIh8B0PhGGeuIpBLjrMaSyY/YqJPkwOVllzPIbMDxLLz9kfox9g/34/2VzY906
OuT/sqgHBDxbU+9sD8ybXqfFSPsMS/FOp7xcwMpXMPG5+PGt9TkRLQ0qbgvTvkAs
KY5ZUsGsLEQ=
=/qmu
-----END PGP SIGNATURE-----