Apple watchOS2 Includes Host of Code-Execution Patches

Apple today brought a smile to the face of gadget geeks with the release of watchOS2, and for the second time in five months, a new version of the Apple Watch operating system brought with it a flurry of security patches.

This round includes more than a dozen code execution vulnerabilities in a number of components, along with some certificate validation issues in the CFNetwork. Apple also patched a bug in dlyd, the OS’ dynamic linker, reported by the Pangu Team known for its iOS jailbreak exploits.

Apple said in its advisory that the dyld vulnerability if exploited allowed applications to bypass code signing.

“An issue existed with validation of the code signature of executables,” Apple said. “This issue was addressed through improved bounds checking.”

Apple also addressed a handful of vulnerabilities in CFNetwork, a framework within the Core Services framework that developers use as a library of network protocol abstractions. Two of the bugs could allow an attacker in a man-in-the-middle position to read SSL/TLS traffic, or track user activity. Apple said it fixed both issues by improving certificate validation and better restricting cookie creation, respectively.

Apple also fixed an issue in the way watchOS handles proxy connect responses that could allow an attacker to set malicious cookies via a proxy.

The remaining CFNetwork vulnerabilities put privacy and other hosts on a network at risk.

One patch addressed an issue in FTP clients that could cause the client to perform reconnaissance on other hosts, Apple said, while the other is an encryption issue that required physical access to an iOS device in order to exploit it.

“Cache data was encrypted with a key protected only by the hardware UID,” Apple said. “This issue was addressed by encrypting the cache data with a key protected by the hardware UID and the user’s passcode.”

Apple also patched a half-dozen issues in the watchOS kernel, most of which addressed memory corruption vulnerabilities that could lead to the code execution with kernel privileges. Also among the kernel bugs was an issue that enabled a local attacker to control the value of stack cookies, while another afforded attackers on a local LAN to disable IPv6 routing. Apple also patched a kernel memory leak vulnerability and a separate denial of service issue.

The first round of watchOS patches was released in May, and it was a relatively tame release compared to today’s. Only one code execution bug was addressed, along with a number of privilege escalation and denial of service issues.