Exploit the possiblities

Apple Security Advisory 2017-09-25-5

Apple Security Advisory 2017-09-25-5
Posted Sep 28, 2017
Authored by Apple | Site apple.com

Apple Security Advisory 2017-09-25-5 - watchOS 4 addresses denial of service, memory corruption, and various other vulnerabilities.

tags | advisory, denial of service, vulnerability
systems | apple
advisories | CVE-2016-9063, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-0381, CVE-2017-1000373, CVE-2017-10989, CVE-2017-7080, CVE-2017-7083, CVE-2017-7086, CVE-2017-7103, CVE-2017-7105, CVE-2017-7108, CVE-2017-7110, CVE-2017-7112, CVE-2017-7114, CVE-2017-7116, CVE-2017-7127, CVE-2017-7128, CVE-2017-7129, CVE-2017-7130, CVE-2017-9233
MD5 | 5f5a23477225d5861f78bedc8d5d47ca

Apple Security Advisory 2017-09-25-5

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

APPLE-SA-2017-09-25-5
Additional information for APPLE-SA-2017-09-20-2 watchOS 4

watchOS 4 addresses the following:

CFNetwork Proxies
Available for: All Apple Watch models
Impact: An attacker in a privileged network position may be able to
cause a denial of service
Description: Multiple denial of service issues were addressed through
improved memory handling.
CVE-2017-7083: Abhinav Bansal of Zscaler Inc.
Entry added September 25, 2017

CoreAudio
Available for: All Apple Watch models
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed by updating to Opus
version 1.1.4.
CVE-2017-0381: V.E.O (@VYSEa) of Mobile Threat Research Team, Trend
Micro
Entry added September 25, 2017

Kernel
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7114: Alex Plaskett of MWR InfoSecurity
Entry added September 25, 2017

libc
Available for: All Apple Watch models
Impact: A remote attacker may be able to cause a denial-of-service
Description: A resource exhaustion issue in glob() was addressed
through an improved algorithm.
CVE-2017-7086: Russ Cox of Google
Entry added September 25, 2017

libc
Available for: All Apple Watch models
Impact: An application may be able to cause a denial of service
Description: A memory consumption issue was addressed through
improved memory handling.
CVE-2017-1000373
Entry added September 25, 2017

libexpat
Available for: All Apple Watch models
Impact: Multiple issues in expat
Description: Multiple issues were addressed by updating to version
2.2.1
CVE-2016-9063
CVE-2017-9233
Entry added September 25, 2017

Security
Available for: All Apple Watch models
Impact: A revoked certificate may be trusted
Description: A certificate validation issue existed in the handling
of revocation data. This issue was addressed through improved
validation.
CVE-2017-7080: an anonymous researcher, Sven Driemecker of adesso
mobile solutions gmbh, an anonymous researcher, Rune Darrud
(@theflyingcorpse) of BA|rum kommune
Entry added September 25, 2017

SQLite
Available for: All Apple Watch models
Impact: Multiple issues in SQLite
Description: Multiple issues were addressed by updating to version
3.19.3.
CVE-2017-10989: found by OSS-Fuzz
CVE-2017-7128: found by OSS-Fuzz
CVE-2017-7129: found by OSS-Fuzz
CVE-2017-7130: found by OSS-Fuzz
Entry added September 25, 2017

SQLite
Available for: All Apple Watch models
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7127: an anonymous researcher
Entry added September 25, 2017

Wi-Fi
Available for: All Apple Watch models
Impact: Malicious code executing on the Wi-Fi chip may be able to
execute arbitrary code with kernel privileges on the application
processor
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2017-7103: Gal Beniamini of Google Project Zero
CVE-2017-7105: Gal Beniamini of Google Project Zero
CVE-2017-7108: Gal Beniamini of Google Project Zero
CVE-2017-7110: Gal Beniamini of Google Project Zero
CVE-2017-7112: Gal Beniamini of Google Project Zero

Wi-Fi
Available for: All Apple Watch models
Impact: Malicious code executing on the Wi-Fi chip may be able to
read restricted kernel memory
Description: A validation issue was addressed with improved input
sanitization.
CVE-2017-7116: Gal Beniamini of Google Project Zero

zlib
Available for: All Apple Watch models
Impact: Multiple issues in zlib
Description: Multiple issues were addressed by updating to version
1.2.11.
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
Entry added September 25, 2017

Additional recognition

Security
We would like to acknowledge Abhinav Bansal of Zscaler, Inc.
for their assistance.

Installation note:

Instructions on how to update your Apple Watch software are
available at https://support.apple.com/kb/HT204641

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select "My Watch > General > About".

Alternatively, on your watch, select "My Watch > General > About".

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJZyUQgAAoJEIOj74w0bLRGqL0QAIfT73f98ConKBEM8SMpm/g/
CtIS26bKtiSIniKWXjj0CHRcnFT4FPos5md2yNhBOTWIgChGtulnORWSowWu2RtI
LVxqskUc97e6LLoTzFc8AM8q6b3Km2cx7C2iVNZWFrLO/JeDHfC8x2pMCgAT8Bx4
Q5FbDIGwD5+w+UYHgIVytqEPvt29OEwOBi41/f78Bvqj1oMf5+EQGjMFU+pECWGg
zDucvK0iirv+5k5YcovpiQlaqx0QBPTMcaZJQLDY3t6k2RpdJZr5M7xd4Oanu0l1
E2blAl4CWN8zSQkdUfMdlamXYWwOvyv4b9iKb0+sKeLWHpWbaQ/LmOHuPHjvFgRq
YWE72P3l5IVWSPZfgsUvD+70uHAobv70MB5O+TQnbLCemnwqq19psez8PMYR2fTF
OfV0Dr6mpsa2GAVexNesEodlLz5a7kdjiBEAIUujJZzL8bVGdHjNll2qxHZCwlUW
mWrxqot2QnymQ7Ycs1mGxg/97snO1eGT44BjVpQ47COSzI+YBhg2lLP15sGdRbF5
viCWhLkJGNBUN7naV/Jsj8sJNW0RBC1tkEz9cfRBLkU7ObtkJCORTwnmiz0jNzQf
gvtVsBC+nBAlJA40Do1lB8rQw1yyizcUmckDywcJg7MatkwIymdgashIR/LVeBHR
39wnv7L2yjedzyd+/y5E
=ACi9
-----END PGP SIGNATURE-----



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close