-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2018-7-23-5 Additional information for APPLE-SA-2018-06-01-5 watchOS 4.3.1 watchOS 4.3.1 addresses the following: Bluetooth Not impacted: Apple Watch Series 3 Impact: An attacker in a privileged network position may be able to intercept Bluetooth traffic CVE-2018-5383: Lior Neumann and Eli Biham Entry added July 23, 2018 Crash Reporter Available for: All Apple Watch models Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved error handling. CVE-2018-4206: Ian Beer of Google Project Zero FontParser Available for: All Apple Watch models Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2018-4211: Proteas of Qihoo 360 Nirvan Team Kernel Available for: All Apple Watch models Impact: An application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2018-4241: Ian Beer of Google Project Zero CVE-2018-4243: Ian Beer of Google Project Zero Kernel Available for: All Apple Watch models Impact: An attacker in a privileged position may be able to perform a denial of service attack Description: A denial of service issue was addressed with improved validation. CVE-2018-4249: Kevin Backhouse of Semmle Ltd. libxpc Available for: All Apple Watch models Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved validation. CVE-2018-4237: Samuel Groß (@5aelo) working with Trend Micro's Zero Day Initiative Messages Available for: All Apple Watch models Impact: A local user may be able to conduct impersonation attacks Description: An injection issue was addressed with improved input validation. CVE-2018-4235: Anurodh Pokharel of Salesforce.com Messages Available for: All Apple Watch models Impact: Processing a maliciously crafted message may lead to a denial of service Description: This issue was addressed with improved message validation. CVE-2018-4240: Sriram (@Sri_Hxor) of PrimeFort Pvt. Ltd Security Available for: All Apple Watch models Impact: A local user may be able to read a persistent device identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4224: Abraham Masri (@cheesecakeufo) Security Available for: All Apple Watch models Impact: A local user may be able to modify the state of the Keychain Description: An authorization issue was addressed with improved state management. CVE-2018-4225: Abraham Masri (@cheesecakeufo) Security Available for: All Apple Watch models Impact: A local user may be able to read a persistent account identifier Description: An authorization issue was addressed with improved state management. CVE-2018-4223: Abraham Masri (@cheesecakeufo) Security Available for: All Apple Watch models Impact: A local user may be able to view sensitive user information Description: An authorization issue was addressed with improved state management. CVE-2018-4226: Abraham Masri (@cheesecakeufo) UIKit Available for: All Apple Watch models Impact: Processing a maliciously crafted text file may lead to a denial of service Description: A validation issue existed in the handling of text. This issue was addressed with improved validation of text. CVE-2018-4198: Hunter Byrnes WebKit Available for: All Apple Watch models Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A race condition was addressed with improved locking. CVE-2018-4192: Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative WebKit Available for: All Apple Watch models Impact: Processing maliciously crafted web content may lead to an unexpected Safari crash Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4214: found by OSS-Fuzz WebKit Available for: All Apple Watch models Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2018-4246: found by OSS-Fuzz WebKit Available for: All Apple Watch models Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4201: an anonymous researcher CVE-2018-4218: Natalie Silvanovich of Google Project Zero CVE-2018-4233: Samuel Groß (@5aelo) working with Trend Micro's Zero Day Initiative WebKit Available for: All Apple Watch models Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4222: Natalie Silvanovich of Google Project Zero Installation note: Instructions on how to update your Apple Watch software are available at https://support.apple.com/kb/HT204641 To check the version on your Apple Watch, open the Apple Watch app on your iPhone and select "My Watch > General > About". Alternatively, on your watch, select "My Watch > General > About". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfcwwPWJ3e0Ig26mf8ecVjteJiCYFAltUsi0ACgkQ8ecVjteJ iCaEog//QIh62JrQmGBL3l0P1W2Bk4EbooVH34Zh5qnjomqfLwjy+oOpXFjaI6Bk EfhPV6T7H3oEct62yIR/vN6MloryDEQzzAqGpCEsLo4HadX6FROyYF9bt+NjKXpE 7CwSLQpojBCbCNSCJfsMsz6ehPRSpkG+bbgFLnd+ijKD8iXyd32r1n551cEmlzD0 5Lu4e8YcnId8S7ybbvdwQEP+5uUlS1DX3HuGmt5vVVe7IawgNZYl64uJtt2P7W2o an8MjOGtDUI6p1ZoYGwf234JnoxfSngkTJoTkt7yi+JSQbPeFxVaQrU9ZcyBX0On 07LQ0Cn2Q4+Lvklv2bk737IQ29+ePyMRH+Hf8vx4WdYsYrYvB5bXG6OEhdvj+QY3 p/YHsUasTZSx3kYecu4RvejBkypDZ0nI5xS5KdZYsFlGzgKb/rBT6ZEMCYPDxnVa 4YQv1sPDQ7XuHtwWpE4r64msWHPEufRrcZsIRlWOs89X9TgzLLQwM0AjbadMynYI yVDhSkzr1fAs8iDyFdfdhZsmRB/ex3xZNR7A6OC++HyqRqmjiWeNiceWtdOaAG1d Py4m0HpvJXoOjz/CmzduehjhSdLb66GQBjGd7j8eL8wHntQ6zYRb+rUslEHnQQXT OEfRgO8EBWKvrWS+oV2d+E8ifkJwhAbEkyVuX0oYoofDhBkm8cM= =TNGH -----END PGP SIGNATURE-----
