SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   Apple Watch Vendors:   Apple
(Apple Issues Fix for Apple Watch) Apple iOS Bugs Let Remote Users Execute Arbitrary Code and Local Users Access Information and Gain Elevated Privileges
SecurityTracker Alert ID:  1032364
SecurityTracker URL:  http://securitytracker.com/id/1032364
CVE Reference:   CVE-2015-1092, CVE-2015-1094   (Links to External Site)
Date:  May 19 2015
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.0.1
Description:   Multiple vulnerabilities were reported in Apple iOS. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain elevated privileges on the target system. A local user can obtain passwords or potentially sensitive information on the target system. A remote user can obtain potentially sensitive information on the target system. A remote user can conduct click-jacking attacks. Apple Watch is affected by two vulnerabilities.

An application can access an iOS interface to guess the target user's passcode [CVE-2015-1085].

An application can trigger a metadata validation flaw in IOKit audio driver objects to execute arbitrary code with system privileges [CVE-2015-1086].

A remote user with access to the backup system can exploit a relative path bug in the backup system to access restricted areas of the file system [CVE-2015-1087].

The TaiG Jailbreak Team reported this vulnerability.

The system may not fully delete Safari browsing history due to an error in clearing saved HTTP Strict Transport Security state [CVE-2015-1090].

An application can invoke the NSXMLParser to obtain potentially sensitive information [CVE-2015-1092].

Ikuya Fukumoto reported this vulnerability.

An application can exploit a flaw in IOAcceleratorFamily to determine kernel memory layout [CVE-2015-1094].

Cererdlong of Alibaba Mobile Security Team reported this vulnerability.

An application can exploit a flaw in MobileFrameBuffer to determine kernel memory layout [CVE-2015-1097].

Barak Gabai of the IBM X-Force Application Security Research Team reported this vulnerability.

When a user is using Bluetooth keyboards, QuickType may learn the user's passcode [CVE-2015-1106].

Jarrod Dwenger, Steve Favorito, Paul Reedy of ConocoPhillips, Pedro Tavares of Molecular Biophysics at UCIBIO/FCT/UNL, De Paul Sunny, and Christian Still of Evolve Media, Canada reported this vulnerability.

A physically local user can cause the device to prevent erasure of the system after failed passcode attempts [CVE-2015-1107].

Brent Erickson, Stuart Ryan of University of Technology, Sydney reported this vulnerability.

A physically local user can exceed the maximum number of failed passcode attempts [CVE-2015-1108].

A physically local user may exploit a flaw in VPN configuration logging to recover VPN credentials [CVE-2015-1109].

Josh Tway of IPVanish reported this vulnerability.

When a user downloads a podcast, the system may send unique identifiers to external servers [CVE-2015-1110].

Alex Selivanov reported this vulnerability.

Safari does not clear the 'Recently closed tabs' from the history when browsing history is deleted [CVE-2015-1111].

Frode Moe of LastFriday.no reported this vulnerability.

An application can exploit a flaw in the sandbox profile to access phone numbers or email addresses of recent contacts [CVE-2015-1113].

Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University reported this vulnerability.

An application may be able to access hardware identifiers [CVE-2015-1114].

An application can exploit an access control flaw in the telephony subsystem to access restricted functions [CVE-2015-1115].

Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University reported this vulnerability.

A UIKit error may fail to blur application snapshots in the Task Switcher. A physically local user may be able to view potentially sensitive information [CVE-2015-1116].

The mobile app team at HP Security Voltage, Aaron Rogers of Mint.com, David Edwards of Tech4Tomorrow, and David Zhang of Dropbox reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger memory corruption errors in WebKit and execute arbitrary code on the target system [CVE-2015-1123].

Randy Luecke and Anoop Menon of Google Inc reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, may cause the user to click on a different web site [CVE-2015-1125].

Phillip Moon and Matt Weston of www.sandfield.co.nz reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.

An application can obtain elevated privileges on the target system, guess the target user's passcode, and/or obtain potentially sensitive information.

A remote user can obtain potentially sensitive information.

A physically local user can can exceed the maximum number of failed passcode attempts, prevent erasure of the system after failed passcode attempts, view potentially sensitive information, and/or recover VPN credentials.

Solution:   Apple has issued a fix for CVE-2015-1092 and CVE-2015-1094 Apple Watch (1.0.1).

The Apple advisory is available at:

https://support.apple.com/en-us/HT204870

Vendor URL:  support.apple.com/kb/HT204661 (Links to External Site)
Cause:   Access control error, Input validation error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 9 2015 Apple iOS Bugs Let Remote Users Execute Arbitrary Code and Local Users Access Information and Gain Elevated Privileges



 Source Message Contents

Subject:  APPLE-SA-2015-05-19-1 Watch OS 1.0.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2015-05-19-1 Watch OS 1.0.1

Watch OS 1.0.1 is now available and addresses the following:

Certificate Trust Policy
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Update to the certificate trust policy
Description:  The certificate trust policy was updated. The complete
list of certificates may be viewed at
https://support.apple.com/kb/204873

FontParser
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  Processing a maliciously crafted font file may lead to
arbitrary code execution
Description:  A memory corruption issue existed in the processing of
font files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-1093 : Marc Schoenefeld

Foundation
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An application using NSXMLParser may be misused to disclose
information
Description:  An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2015-1092 : Ikuya Fukumoto

IOHIDFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed in IOHIDFamily that led to the
disclosure of kernel memory content. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2015-1096 : Ilja van Sprundel of IOActive

IOAcceleratorFamily
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed in IOAcceleratorFamily that led to the
disclosure of kernel memory content. This issue was addressed by
removing unneeded code.
CVE-ID
CVE-2015-1094 : Cererdlong of Alibaba Mobile Security Team

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to cause a system denial
of service
Description:  A race condition existed in the kernel's setreuid
system call. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1099 : Mark Mentovai of Google Inc.

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may be able
to redirect user traffic to arbitrary hosts
Description:  ICMP redirects were enabled by default. This issue was
addressed by disabling ICMP redirects.
CVE-ID
CVE-2015-1103 : Zimperium Mobile Security Labs

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A remote attacker may be able to cause a denial of service
Description:  A state inconsistency issue existed in the handling of
TCP out of band data. This issue was addressed through improved state
management.
CVE-ID
CVE-2015-1105 : Kenton Varda of Sandstorm.io

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may escalate privileges using a
compromised service intended to run with reduced privileges
Description:  setreuid and setregid system calls failed to drop
privileges permanently. This issue was addressed by correctly
dropping privileges.
CVE-ID
CVE-2015-1117 : Mark Mentovai of Google Inc.

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A remote attacker may be able to bypass network filters
Description:  The system would treat some IPv6 packets from remote
network interfaces as local packets. The issue was addressed by
rejecting these packets.
CVE-ID
CVE-2015-1104 : Stephen Roettger of the Google Security Team

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may be able
to cause a denial of service
Description:  A state inconsistency existed in the processing of TCP
headers. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-1102 : Andrey Khudyakov and Maxim Zhuravlev of Kaspersky Lab

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to cause unexpected
system termination or read kernel memory
Description:  An out of bounds memory access issue existed in the
kernel. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1100 : Maxime Villard of m00nbsd

Kernel
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  A malicious application may be able to execute arbitrary
code with system privileges
Description:  A memory corruption issue existed in the kernel. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-1101 : lokihardt@ASRT working with HP's Zero Day Initiative

Secure Transport
Available for:  Apple Watch Sport, Apple Watch,
and Apple Watch Edition
Impact:  An attacker with a privileged network position may intercept
SSL/TLS connections
Description:  Secure Transport accepted short ephemeral RSA keys,
usually used only in export-strength RSA cipher suites, on
connections using full-strength RSA cipher suites. This issue, also
known as FREAK, only affected connections to servers which support
export-strength RSA cipher suites, and was addressed by removing
support for ephemeral RSA keys.
CVE-ID
CVE-2015-1067 : Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine
Delignat-Lavaud, Alfredo Pironti, and Jean Karim Zinzindohoue of
Prosecco at Inria Paris

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/en-us/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".


Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJVW38oAAoJEBcWfLTuOo7tXpIP/3v/tqCIVXg28xQpAK2vRVtw
S3clbM17RBsJ1b239DmGUdRNNCVimQCHk1dQ4M3szrXx73VjWroh1hSq2+hObL65
FGa4jYbns7OGbTr9YZW/fScJ9mnAuG1nDHcNLL8W2DyFuxNEJsCB668QPdTTMOoO
Xpx8jZUZyXIyX2V3Ch1qasXsSV0IwSA5GPg5IFFFuaNXGC62AXx49UmFTtjBCs4w
bvTRPKKBowuP80zmIaxlWpGXhTIe8TwjCDGSejk5kdddcqjXe1yzA1UPM+uBTHZK
7xOX55CctqT2LkO4ND6EWaaPUozDJtEoUf+pFjnJmZxNd6BHPx86KbkUw3lcBXso
xZplhgaFlaA4UTxMLFJONId0DYtyXH7CLOYW9BKjyzMMo0YZHdt/2CQ1HQKfzQ9m
bT+MT/wdFcgCjr90GLG9OFLCwf5h8bAHRtpvhWrV78ek6V92GuwjZUA8x18avNQO
1th8l49j+JN+OcVv0bvmxVSQpFurTfVRAxZ9lTq4VDdqZanwbvP6INOB8wxhKNbK
8phc4Amh8TwFf2esdmMWawWWAqxXL1+2D+MWxR+C8Hm4CWyxYvKhvHacM20IDTfF
6exVyn4D9FhnT16ggkF6qH9vOOrQk3msHmxdC3fdE4dRhR8W7xRbuNEMXn3CyP6f
ssKTqTcaARrUZzOjyx2Z
=HMct
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC