For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other security updates, see Apple security updates.
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A malicious application may be able to leak sensitive user information
Description: An issue existed in the handling of return values in CCCrypt. This issue was addressed through improved key length management.
CVE-ID
CVE-2016-1802 : Klaus Rodewig
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-ID
CVE-2016-1803 : Ian Beer of Google Project Zero, daybreaker working with Trend Microβs Zero Day Initiative
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local attacker may be able to read kernel memory
Description: A race condition was addressed through improved locking.
CVE-ID
CVE-2016-1807 : Ian Beer of Google Project Zero
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1808 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of Trend Micro
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing a maliciously crafted image may lead to a denial of service
Description: A null pointer dereference was addressed through improved validation.
CVE-ID
CVE-2016-1811 : Lander Brandt (@landaire)
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1817 : Moony Li (@Flyic) and Jack Tang (@jacktang310) of Trend Micro working with Trend Microβs Zero Day Initiative
CVE-2016-1818: Juwei Lin of TrendMicro, sweetchip@GRAYHASH working with Trend Microβs Zero Day Initiative
Entry updated December 13, 2016
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption vulnerability was addressed through improved locking.
CVE-ID
CVE-2016-1819 : Ian Beer of Google Project Zero
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A null pointer dereference was addressed through improved validation.
CVE-ID
CVE-2016-1813 : Ian Beer of Google Project Zero
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1823 : Ian Beer of Google Project Zero
CVE-2016-1824 : Marco Grassi (@marcograss) of KeenLab (@keen_lab), Tencent
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1827 : Brandon Azad
CVE-2016-1828 : Brandon Azad
CVE-2016-1829 : CESG
CVE-2016-1830 : Brandon Azad
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution
Description: A memory corruption issue was addressed through improved input validation.
CVE-ID
CVE-2016-1832 : Karl Williamson
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1833 : Mateusz Jurczyk
CVE-2016-1834 : Apple
CVE-2016-1836 : Wei Lei and Liu Yang of Nanyang Technological University
CVE-2016-1837 : Wei Lei and Liu Yang of Nanyang Technological University
CVE-2016-1838 : Mateusz Jurczyk
CVE-2016-1839 : Mateusz Jurczyk
CVE-2016-1840 : Kostya Serebryany
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A memory corruption issue was addressed through improved memory handling.
CVE-ID
CVE-2016-1841 : Sebastian Apelt
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: An attacker in a privileged network position may be able to leak sensitive user information
Description: Shared links were sent with HTTP rather than HTTPS. This was addressed by enabling HTTPS for shared links.
CVE-ID
CVE-2016-1842 : Richard Shupak (https://www.linkedin.com/in/rshupak)
Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed through improved memory handling.
CVE-ID
CVE-2016-1847 : Tongbo Luo and Bo Qu of Palo Alto Networks