Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Apple WatchOS 2 Patches Tens of Vulnerabilities

Apple on Monday announced the availability of WatchOS 2. The latest version of the Apple Watch operating system patches nearly 40 security issues, including vulnerabilities that could lead to arbitrary code execution.

Apple on Monday announced the availability of WatchOS 2. The latest version of the Apple Watch operating system patches nearly 40 security issues, including vulnerabilities that could lead to arbitrary code execution.

WatchOS 2 should have been made available last week, but Apple delayed the release due to some bugs identified during the testing process. According to Apple, WatchOS 2 brings more faces, faster and more powerful applications, enhanced communication options, and other new features.

As for the security of WatchOS 2, Apple says it has patched a total of 38 issues, 36 of which have been assigned CVE identifiers.

The vulnerabilities fixed in the Apple Watch OS affect components such as Apple Pay, audio, CFNetwork, CoreText, the data detectors engine, the “dyld” dynamic linker, DiskImages, ICU, IOAcceleratorFamily, IOMobileFrameBuffer, the kernel, Tidy, SQLite, removefile, and the plugin kit.

Apple’s security advisory for WatchOS 2 has revealed that these flaws could lead to arbitrary code execution, exposure of sensitive information, user activity tracking, security bypasses, and denial-of-service (DoS).

Since WatchOS is based on iOS, most of the vulnerabilities patched by Apple in WatchOS 2 were also patched last week with the release of iOS 9. Only a couple of memory corruption issues affecting the GasGauge component seem to be specific to the Apple Watch operating system.

These flaws, identified by Apple’s internal security team, allow a local attacker to execute arbitrary code with kernel privileges.

Last week, Apple released security updates for OS X Server, iTunes, Xcode and iOS 9. The latest version of the company’s mobile operating system fixes more than 100 vulnerabilities and should boost app security.

While a large number of vulnerabilities have been found in iOS over the past period, security holes that pose a serious threat to users don’t emerge very often. In fact, they can be so difficult to find that exploit acquisition firm Zerodium has promised up to $1 million to anyone who can provide iOS 9 zero-days that can be used to fully compromise Apple mobile devices.

On the other hand, Apple users are still targeted by malicious actors. While some attacks leverage vulnerabilities, others rely on the fact that users and developers don’t follow best security practices. A perfect example is XcodeGhost, a recently uncovered threat that malicious actors are using to infect legitimate iOS and OS X software by tricking developers into using a rogue version of the Xcode development platform.

Tens or possibly hundreds of iOS apps uploaded to the Apple App Store contained malicious code that could be used to harvest information from mobile devices and launch phishing attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.