Apple Fixes Security Bugs With First Update for Watch OS

Apple released on Tuesday its first update for Watch OS, the iOS-based operating system that runs on the Apple Watch.

Watch OS 1.0.1 patches a total of 13 vulnerabilities affecting components such as the kernel, Secure Transport, FontParser, the Foundation framework, IOHIDFamily, and IOAcceleratorFamily.

The FontParser issue exists due to the way font files are processed. An attacker can exploit this vulnerability (CVE-2015-1093) to execute arbitrary code by getting a user to process a maliciously crafted font.

The Foundation framework in the first version of Watch OS is plagued by an XML External Entity (XXE) vulnerability caused by the way the NSXMLParser handles XML files (CVE-2015-1092). This allows an application using the NSXMLParser to disclose information, Apple said in its advisory.

The flaws affecting IOHIDFamily and IOAcceleratorFamily could allow malicious applications to determine kernel memory layout.

The following vulnerabilities have been identified in the kernel:

• CVE-2015-1099: race condition in the setreuid system call could allow malicious apps to cause a denial-of-service (DoS) condition on the system;
• CVE-2015-1103: ICMP redirects enabled by default allow a man-in-the-middle (MitM) attacker to redirect users’ traffic to arbitrary hosts;
• CVE-2015-1105: state inconsistency issue in handling of TCP out-of-band data allows a remote attacker to cause a DoS condition;
• CVE-2015-1117: setreuid and setregid system calls fail to drop privileges permanently, allowing malicious applications to escalate privileges using a compromised service that should run with limited permissions;
• CVE-2015-1104: system treats some IPv6 packets from remote network interfaces as local packets, enabling remote attackers to bypass network filters;
• CVE-2015-1102: inconsistency in the processing of TCP headers allows an MitM attacker to cause a DoS condition;
• CVE-2015-1100: out-of-bounds memory access flaw in the kernel allows malicious apps to cause the system to crash or read kernel memory;
• CVE-2015-1101: memory corruption vulnerability allows malicious applications to execute arbitrary code with system privileges.

The list of people and organizations credited for finding these vulnerabilities includes Marc Schoenefeld, Ikuya Fukumoto, Ilja van Sprundel of IOActive, Cererdlong of the Alibaba Mobile Security Team, Mark Mentovai of Google, Zimperium Mobile Security Labs, Kenton Varda of Sandstorm.io, Stephen Roettger of Google, Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab, Maxime Villard of m00nbsd, and [email protected]

Watch OS 1.0.1 also addresses the FREAK vulnerability, which allows an MitM attacker to access encrypted data by downgrading the connection.

In addition to addressing these security bugs, Apple has updated the certificate trust policy, which includes a list of trusted, untrusted but not blocked, and blocked certificates in Watch OS.

The update is available for Apple Watch, Apple Watch Sport, and Apple Watch Edition.

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

Related: Apple Updates Safari to Patch Several Vulnerabilities