Security Experts:

Apple WatchOS 2 Patches Tens of Vulnerabilities

Apple on Monday announced the availability of WatchOS 2. The latest version of the Apple Watch operating system patches nearly 40 security issues, including vulnerabilities that could lead to arbitrary code execution.

WatchOS 2 should have been made available last week, but Apple delayed the release due to some bugs identified during the testing process. According to Apple, WatchOS 2 brings more faces, faster and more powerful applications, enhanced communication options, and other new features.

As for the security of WatchOS 2, Apple says it has patched a total of 38 issues, 36 of which have been assigned CVE identifiers.

The vulnerabilities fixed in the Apple Watch OS affect components such as Apple Pay, audio, CFNetwork, CoreText, the data detectors engine, the “dyld” dynamic linker, DiskImages, ICU, IOAcceleratorFamily, IOMobileFrameBuffer, the kernel, Tidy, SQLite, removefile, and the plugin kit.

Apple’s security advisory for WatchOS 2 has revealed that these flaws could lead to arbitrary code execution, exposure of sensitive information, user activity tracking, security bypasses, and denial-of-service (DoS).

Since WatchOS is based on iOS, most of the vulnerabilities patched by Apple in WatchOS 2 were also patched last week with the release of iOS 9. Only a couple of memory corruption issues affecting the GasGauge component seem to be specific to the Apple Watch operating system.

These flaws, identified by Apple’s internal security team, allow a local attacker to execute arbitrary code with kernel privileges.

Last week, Apple released security updates for OS X Server, iTunes, Xcode and iOS 9. The latest version of the company’s mobile operating system fixes more than 100 vulnerabilities and should boost app security.

While a large number of vulnerabilities have been found in iOS over the past period, security holes that pose a serious threat to users don’t emerge very often. In fact, they can be so difficult to find that exploit acquisition firm Zerodium has promised up to $1 million to anyone who can provide iOS 9 zero-days that can be used to fully compromise Apple mobile devices.

On the other hand, Apple users are still targeted by malicious actors. While some attacks leverage vulnerabilities, others rely on the fact that users and developers don’t follow best security practices. A perfect example is XcodeGhost, a recently uncovered threat that malicious actors are using to infect legitimate iOS and OS X software by tricking developers into using a rogue version of the Xcode development platform.

Tens or possibly hundreds of iOS apps uploaded to the Apple App Store contained malicious code that could be used to harvest information from mobile devices and launch phishing attacks.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.