Home / mailings APPLE-SA-2021-02-01-4 Additional information for APPLE-SA-2021-01-26-3 watchOS 7.3
Posted on 02 February 2021
Apple Security-announceAPPLE-SA-2021-02-01-4 Additional information for
APPLE-SA-2021-01-26-3 watchOS 7.3
watchOS 7.3 addresses the following issues. Information about the
security content is also available at
https://support.apple.com/HT212148.
Analytics
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2021-1761: Cees Elzinga
Entry added February 1, 2021
APFS
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to read arbitrary files
Description: The issue was addressed with improved permissions logic.
CVE-2021-1797: Thomas Tempelmann
Entry added February 1, 2021
CoreAnimation
Available for: Apple Watch Series 3 and later
Impact: A malicious application could execute arbitrary code leading
to compromise of user information
Description: A memory corruption issue was addressed with improved
state management.
CVE-2021-1760: @S0rryMybad of 360 Vulcan Team
Entry added February 1, 2021
CoreAudio
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to code
execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2021-1747: JunDong Xie of Ant Security Light-Year Lab
Entry added February 1, 2021
CoreGraphics
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted font file may lead to
arbitrary code execution
Description: An out-of-bounds write issue was addressed with improved
bounds checking.
CVE-2021-1776: Ivan Fratric of Google Project Zero
Entry added February 1, 2021
CoreText
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted text file may lead to
arbitrary code execution
Description: A stack overflow was addressed with improved input
validation.
CVE-2021-1772: Mickey Jin of Trend Micro
Entry added February 1, 2021
CoreText
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-1792: Mickey Jin & Junzhi Lu of Trend Micro
Entry added February 1, 2021
Crash Reporter
Available for: Apple Watch Series 3 and later
Impact: A local user may be able to create or modify system files
Description: A logic issue was addressed with improved state
management.
CVE-2021-1786: Csaba Fitzl (@theevilbit) of Offensive Security
Entry added February 1, 2021
Crash Reporter
Available for: Apple Watch Series 3 and later
Impact: A local attacker may be able to elevate their privileges
Description: Multiple issues were addressed with improved logic.
CVE-2021-1787: James Hutchins
Entry added February 1, 2021
FairPlay
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to disclose kernel memory
Description: An out-of-bounds read issue existed that led to the
disclosure of kernel memory. This was addressed with improved input
validation.
CVE-2021-1791: Junzhi Lu (@pwn0rz), Qi Sun & Mickey Jin of Trend
Micro
Entry added February 1, 2021
FontParser
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-1758: Peter Nguyen of STAR Labs
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: A logic issue was addressed with improved state
management.
CVE-2021-1773: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: This issue was addressed with improved checks.
CVE-2021-1766: Danny Rosseau of Carve Systems
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2021-1785: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds write was addressed with improved input
validation.
CVE-2021-1744: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: A logic issue was addressed with improved state
management.
CVE-2021-1818: Xingwei Lin from Ant-Financial Light-Year Security Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: This issue was addressed with improved checks.
CVE-2021-1746: Xingwei Lin of Ant Security Light-Year Lab, and Mickey
Jin & Qi Sun of Trend Micro
CVE-2021-1793: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-1741: Xingwei Lin of Ant Security Light-Year Lab
CVE-2021-1743: Xingwei Lin of Ant Security Light-Year Lab, and Mickey
Jin & Junzhi Lu of Trend Micro
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to a denial
of service
Description: An out-of-bounds read issue existed in the curl. This
issue was addressed with improved bounds checking.
CVE-2021-1778: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
ImageIO
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted image may lead to arbitrary
code execution
Description: An access issue was addressed with improved memory
management.
CVE-2021-1783: Xingwei Lin of Ant Security Light-Year Lab
Entry added February 1, 2021
IOSkywalkFamily
Available for: Apple Watch Series 3 and later
Impact: A local attacker may be able to elevate their privileges
Description: An out-of-bounds read was addressed with improved bounds
checking.
CVE-2021-1757: Proteas and Pan ZhenPeng (@Peterpan0927) of Alibaba
Security
Entry added February 1, 2021
iTunes Store
Available for: Apple Watch Series 3 and later
Impact: Processing a maliciously crafted URL may lead to arbitrary
javascript code execution
Description: A validation issue was addressed with improved input
sanitization.
CVE-2021-1748: CodeColorist of Ant-Financial Light-Year Labs
Entry added February 1, 2021
Kernel
Available for: Apple Watch Series 3 and later
Impact: A remote attacker may be able to cause a denial of service
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-1764: Maxime Villard (m00nbsd)
Entry added February 1, 2021
Kernel
Available for: Apple Watch Series 3 and later
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: Multiple issues were addressed with improved logic.
CVE-2021-1750: @0xalsr
Entry added February 1, 2021
Kernel
Available for: Apple Watch Series 3 and later
Impact: A malicious application may be able to elevate privileges.
Apple is aware of a report that this issue may have been actively
exploited.
Description: A race condition was addressed with improved locking.
CVE-2021-1782: an anonymous researcher
Swift
Available for: Apple Watch Series 3 and later
Impact: A malicious attacker with arbitrary read and write capability
may be able to bypass Pointer Authentication
Description: A logic issue was addressed with improved validation.
CVE-2021-1769: CodeColorist of Ant-Financial Light-Year Labs
Entry added February 1, 2021
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A use after free issue was addressed with improved
memory management.
CVE-2021-1788: Francisco Alonso (@revskills)
Entry added February 1, 2021
WebKit
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: A type confusion issue was addressed with improved state
handling.
CVE-2021-1789: @S0rryMybad of 360 Vulcan Team
Entry added February 1, 2021
WebKit
Available for: Apple Watch Series 3 and later
Impact: Maliciously crafted web content may violate iframe sandboxing
policy
Description: This issue was addressed with improved iframe sandbox
enforcement.
CVE-2021-1801: Eliya Stein of Confiant
Entry added February 1, 2021
WebRTC
Available for: Apple Watch Series 3 and later
Impact: A malicious website may be able to access restricted ports on
arbitrary servers
Description: A port redirection issue was addressed with additional
port validation.
CVE-2021-1799: Gregory Vishnepolsky & Ben Seri of Armis Security, and
Samy Kamkar
Entry added February 1, 2021
Additional recognition
iTunes Store
We would like to acknowledge CodeColorist of Ant-Financial Light-Year
Labs for their assistance.
Entry added February 1, 2021
Kernel
We would like to acknowledge Junzhi Lu (@pwn0rz), Mickey Jin & Jesse
Change of Trend Micro for their assistance.
Entry added February 1, 2021
libpthread
We would like to acknowledge CodeColorist of Ant-Financial Light-Year
Labs for their assistance.
Entry added February 1, 2021
Store Demo
We would like to acknowledge @08Tc3wBB for their assistance.
Entry added February 1, 2021
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/