Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple WatchOS 2 Patches Tens of Vulnerabilities

Apple on Monday announced the availability of WatchOS 2. The latest version of the Apple Watch operating system patches nearly 40 security issues, including vulnerabilities that could lead to arbitrary code execution.

Apple on Monday announced the availability of WatchOS 2. The latest version of the Apple Watch operating system patches nearly 40 security issues, including vulnerabilities that could lead to arbitrary code execution.

WatchOS 2 should have been made available last week, but Apple delayed the release due to some bugs identified during the testing process. According to Apple, WatchOS 2 brings more faces, faster and more powerful applications, enhanced communication options, and other new features.

As for the security of WatchOS 2, Apple says it has patched a total of 38 issues, 36 of which have been assigned CVE identifiers.

The vulnerabilities fixed in the Apple Watch OS affect components such as Apple Pay, audio, CFNetwork, CoreText, the data detectors engine, the “dyld” dynamic linker, DiskImages, ICU, IOAcceleratorFamily, IOMobileFrameBuffer, the kernel, Tidy, SQLite, removefile, and the plugin kit.

Apple’s security advisory for WatchOS 2 has revealed that these flaws could lead to arbitrary code execution, exposure of sensitive information, user activity tracking, security bypasses, and denial-of-service (DoS).

Since WatchOS is based on iOS, most of the vulnerabilities patched by Apple in WatchOS 2 were also patched last week with the release of iOS 9. Only a couple of memory corruption issues affecting the GasGauge component seem to be specific to the Apple Watch operating system.

These flaws, identified by Apple’s internal security team, allow a local attacker to execute arbitrary code with kernel privileges.

Last week, Apple released security updates for OS X Server, iTunes, Xcode and iOS 9. The latest version of the company’s mobile operating system fixes more than 100 vulnerabilities and should boost app security.

Advertisement. Scroll to continue reading.

While a large number of vulnerabilities have been found in iOS over the past period, security holes that pose a serious threat to users don’t emerge very often. In fact, they can be so difficult to find that exploit acquisition firm Zerodium has promised up to $1 million to anyone who can provide iOS 9 zero-days that can be used to fully compromise Apple mobile devices.

On the other hand, Apple users are still targeted by malicious actors. While some attacks leverage vulnerabilities, others rely on the fact that users and developers don’t follow best security practices. A perfect example is XcodeGhost, a recently uncovered threat that malicious actors are using to infect legitimate iOS and OS X software by tricking developers into using a rogue version of the Xcode development platform.

Tens or possibly hundreds of iOS apps uploaded to the Apple App Store contained malicious code that could be used to harvest information from mobile devices and launch phishing attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights