The Mac Security Blog

Security News

Apple Watch 2 Update Patches Security Holes

Posted on by

Apple Watch security

The Apple Watch recently received its second major update, which patches a total of 36 vulnerabilities in the Apple Watch operating system. This update is available for Apple Watch Sport, Apple Watch, and Apple Watch Edition.

Apple detailed the Apple Watch’s security patches on its support page, which come as part of the device’s Watch OS 2 update. Many of the bugs fixed address arbitrary code execution flaws as well as issues affecting the Apple Watch’s kernel, the deepest level of its operating system.

The vulnerabilities patched in this update are described as follows:

  • CVE-2015-5916 : Some cards may allow a terminal to retrieve limited recent transaction information when making a payment. The transaction log functionality was enabled in certain configurations. This issue was addressed by removing the transaction log functionality.
  • CVE-2015-5862 : Playing a malicious audio file may lead to an unexpected application termination. A memory corruption issue existed in the handling of audio files. This issue was addressed through improved memory handling.
  • CVE-2015-5824 : An attacker with a privileged network position may intercept SSL/TLS connections. A certificate validation issue existed in NSURL when a certificate changed. This issue was addressed through improved certificate validation.
  • CVE-2015-5841 : Connecting to a malicious web proxy may set malicious cookies for a website. An issue existed in the handling of proxy connect responses. This issue was addressed by removing the set-cookie header while parsing the connect response.
  • CVE-2015-5885 : An attacker in a privileged network position can track a user’s activity. A cross-domain cookie issue existed in the handling of top level domains. The issue was addressed through improved restrictions of cookie creation.
  • CVE-2015-5898 : A person with physical access to an iOS device may read cache data from Apple apps. Cache data was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the cache data with a key protected by the hardware UID and the user’s passcode.
  • CVE-2015-5874 : Processing a maliciously crafted font file may lead to arbitrary code execution. A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation.
  • CVE-2015-5829 : Processing a maliciously crafted text file may lead to arbitrary code execution. Memory corruption issues existed in the processing of text files. These issues were addressed through improved bounds checking.
  • CVE-2015-5876 : A malicious application may be able to execute arbitrary code with system privileges. A memory corruption issue existed in dyld. This was addressed through improved memory handling.
  • CVE-2015-5847 : A local user may be able to execute arbitrary code with system privileges. A memory corruption issue existed in DiskImages. This issue was addressed through improved memory handling.
  • CVE-2015-5839 : An application may be able to bypass code signing. An issue existed with validation of the code signature of executables. This issue was addressed through improved bounds checking.
  • CVE-2015-5918, CVE-2015-5919 : A local user may be able to execute arbitrary code with kernel privileges. Multiple memory corruption issues existed in the kernel. These issues were addressed through improved memory handling.
  • CVE-2014-8146, CVE-2015-1205 : Multiple vulnerabilities in ICU. Multiple vulnerabilities existed in ICU versions prior to 53.1.0. These issues were addressed by updating ICU to version 55.1.
  • CVE-2015-5834 : A malicious application may be able to determine kernel memory layout. An issue existed that led to the disclosure of kernel memory content. This issue was addressed through improved bounds checking.
  • CVE-2015-5848 : A local user may be able to execute arbitrary code with system privileges. A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling.
  • CVE-2015-5844, CVE-2015-5845, CVE-2015-5846 : A malicious application may be able to execute arbitrary code with system privileges. A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.
  • CVE-2015-5843 : A local user may be able to execute arbitrary code with system privileges. A memory corruption issue existed in IOMobileFrameBuffer. This issue was addressed through improved memory handling.
  • CVE-2015-5863 : A local attacker may be able to read kernel memory. A memory initialization issue existed in the kernel. This issue was addressed through improved memory handling.
  • CVE-2015-5868, CVE-2015-5896, CVE-2015-5903 : A local user may be able to execute arbitrary code with kernel privileges. A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.
  • CVE-2013-3951 : A local attacker may control the value of stack cookies. Multiple weaknesses existed in the generation of user space stack cookies. This was addressed through improved generation of stack cookies.
  • CVE-2015-5882 : A local process can modify other processes without entitlement checks. An issue existed where root processes using the processor_set_tasks API were allowed to retrieve the task ports of other processes. This issue was addressed through added entitlement checks.
  • CVE-2015-5869 : An attacker in a local LAN segment may disable IPv6 routing. An insufficient validation issue existed in handling of IPv6 router advertisements that allowed an attacker to set the hop limit to an arbitrary value. This issue was addressed by enforcing a minimum hop limit.
  • CVE-2015-5842 : A local user may be able to determine kernel memory layout. An issue existed in XNU that led to the disclosure of kernel memory. This was addressed through improved initialization of kernel memory structures.
  • CVE-2015-5748 : A local user may be able to cause a system denial of service. An issue existed in HFS drive mounting. This was addressed by additional validation checks.
  • CVE-2015-5899 : A local user may be able to execute arbitrary code with kernel privileges. A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling.
  • CVE-2015-5837 : A malicious enterprise application can install extensions before the application has been trusted. An issue existed in the validation of extensions during installation. This was addressed through improved app verification.
  • CVE-2015-5840 : Processing malicious data may lead to unexpected application termination. An overflow fault existed in the checkint division routines. This issue was addressed with improved division routines.
  • CVE-2015-5895 : Multiple vulnerabilities in SQLite v3.8.5. Multiple vulnerabilities existed in SQLite v3.8.5. These issues were addressed by updating SQLite to version 3.8.10.2.
  • CVE-2015-5522, CVE-2015-5523 : Visiting a maliciously crafted website may lead to arbitrary code execution. A memory corruption issue existed in Tidy. This issues was addressed through improved memory handling.

At Intego, we routinely stress the need to update your software as a means to minimize security threats targeting your machines. Patching third-party software is an important layer of security that keeps your expensive devices safe from hackers, malware, and other Internet threats. The Apple Watch is no different, and we encourage all users to update your software in a timely manner to mitigate the aforementioned threats.

Before you update…

In order to update your Apple Watch software, you need to update to iOS 9 or later on your iPhone, have at least 50 percent battery charge, connect your iPhone to Wi-Fi, and keep your iPhone next to your Apple Watch to make sure you’re in range.

To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select My Watch > General > About.

Alternatively, on your watch, select My Watch > General > About.

How to update your Apple Watch

  1. Connect your Apple Watch to power, and keep it on the charger until the update is complete.
  2. On your iPhone, open the Watch app, tap the My Watch tab, and then tap General > Software Update.
  3. If asked for your iPhone passcode or Apple Watch passcode, enter the passcode.
  4. Wait for the progress bar to appear and complete. Don’t restart your Apple Watch during the update, which might take some time. When the update finishes, your Apple Watch will restart on its own.

For additional details on how to update your Apple Watch, see Apple’s support page.