Home / mailingsPDF  

APPLE-SA-2019-12-10-8 watchOS 6.1.1

Posted on 11 December 2019
Apple Security-announce

APPLE-SA-2019-12-10-8 watchOS 6.1.1

watchOS 6.1.1 is now available and addresses the following:

CallKit
Available for: Apple Watch Series 1 and later
Impact: Calls made using Siri may be initiated using the wrong
cellular plan on devices with two active plans
Description: An API issue existed in the handling of outgoing phone
calls initiated with Siri. This issue was addressed with improved
state handling.
CVE-2019-8856: Fabrice TERRANCLE of TERRANCLE SARL

CFNetwork Proxies
Available for: Apple Watch Series 1 and later
Impact: An application may be able to gain elevated privileges
Description: This issue was addressed with improved checks.
CVE-2019-8848: Zhuo Liang of Qihoo 360 Vulcan Team

FaceTime
Available for: Apple Watch Series 1 and later
Impact: Processing malicious video via FaceTime may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8830: Natalie Silvanovich of Google Project Zero

IOUSBDeviceFamily
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8836: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc.
and Luyi Xing of Indiana University Bloomington

Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed by removing the
vulnerable code.
CVE-2019-8833: Ian Beer of Google Project Zero

Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8828: Cim Stordal of Cognite
CVE-2019-8838: Dr Silvio Cesare of InfoSect

libexpat
Available for: Apple Watch Series 1 and later
Impact: Parsing a maliciously crafted XML file may lead to disclosure
of user information
Description: This issue was addressed by updating to expat version
2.2.8.
CVE-2019-15903: Joonun Jang

Security
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8832: Insu Yun of SSLab at Georgia Tech

WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed with
improved memory handling.
CVE-2019-8844: William Bowling (@wcbowling)

Additional recognition

Accounts
We would like to acknowledge Kishan Bagaria (KishanBagaria.com) and
Tom Snelling of Loughborough University for their assistance.

Core Data
We would like to acknowledge Natalie Silvanovich of Google Project
Zero for their assistance.

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

TOP