For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
For more information about security, see the Apple Product Security page. You can encrypt communications with Apple using the Apple Product Security PGP Key.
Apple security documents reference vulnerabilities by CVE-ID when possible.
Released September 17, 2018
CFNetwork
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4126: Bruno Keith (@bkth_) working with Trend Micro’s Zero Day Initiative
Entry added October 30, 2018
CoreFoundation
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to elevate privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4412: The UK’s National Cyber Security Centre (NCSC)
Entry added October 30, 2018
CoreFoundation
Available for: Apple Watch Series 1 and later
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4414: The UK’s National Cyber Security Centre (NCSC)
Entry added October 30, 2018
CoreText
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted text file may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
CVE-2018-4347: an anonymous researcher
Entry added October 30, 2018
dyld
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to modify protected parts of the file system
Description: A configuration issue was addressed with additional restrictions.
CVE-2018-4433: Vitaly Cheptsov
Entry added January 22, 2019
Grand Central Dispatch
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4426: Brandon Azad
Entry added October 30, 2018
Heimdal
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with system privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4331: Brandon Azad
CVE-2018-4332: Brandon Azad
CVE-2018-4343: Brandon Azad
Entry added October 30, 2018
IOHIDFamily
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.
CVE-2018-4408: Ian Beer of Google Project Zero
Entry added October 30, 2018, updated August 1, 2019
IOKit
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to break out of its sandbox
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4341: Ian Beer of Google Project Zero
CVE-2018-4354: Ian Beer of Google Project Zero
Entry added October 30, 2018
IOKit
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
CVE-2018-4383: Apple
Entry added October 24, 2018
IOUserEthernet
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4401: Apple
Entry added October 30, 2018
iTunes Store
Available for: Apple Watch Series 1 and later
Impact: An attacker in a privileged network position may be able to spoof password prompts in the iTunes Store
Description: An input validation issue was addressed with improved input validation.
CVE-2018-4305: Jerry Decime
Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to read restricted memory
Description: An input validation issue existed in the kernel. This issue was addressed with improved input validation.
CVE-2018-4363: Ian Beer of Google Project Zero
Kernel
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved memory handling.
CVE-2018-4336: Brandon Azad
CVE-2018-4337: Ian Beer of Google Project Zero
CVE-2018-4340: Mohamed Ghannam (@_simo36)
CVE-2018-4344: The UK’s National Cyber Security Centre (NCSC)
CVE-2018-4425: cc working with Trend Micro’s Zero Day Initiative, Juwei Lin (@panicaII) of Trend Micro working with Trend Micro’s Zero Day Initiative
Entry added September 24, 2018, updated October 30, 2018
Kernel
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to leak sensitive user information
Description: An access issue existed with privileged API calls. This issue was addressed with additional restrictions.
CVE-2018-4399: Fabiano Anemone (@anoane)
Entry added October 30, 2018
Kernel
Available for: Apple Watch Series 1 and later
Impact: An attacker in a privileged network position may be able to execute arbitrary code
Description: A memory corruption issue was addressed with improved validation.
CVE-2018-4407: Kevin Backhouse of Semmle Ltd.
Entry added October 30, 2018
Safari
Available for: Apple Watch Series 1 and later
Impact: A local user may be able to discover websites a user has visited
Description: A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of application snapshots.
CVE-2018-4313: 11 anonymous researchers, David Scott, Enes Mert Ulu of Abdullah Mürşide Özünenek Anadolu Lisesi - Ankara/Türkiye, Mehmet Ferit Daştan of Van Yüzüncü Yıl University, Metin Altug Karakaya of Kaliptus Medical Organization, Vinodh Swami of Western Governor’s University (WGU)
Security
Available for: Apple Watch Series 1 and later
Impact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm
Description: This issue was addressed by removing RC4.
CVE-2016-1777: Pepi Zawodsky
Security
Available for: Apple Watch Series 1 and later
Impact: A local user may be able to cause a denial of service
Description: This issue was addressed with improved checks.
CVE-2018-4395: Patrick Wardle of Digita Security
Entry added October 30, 2018
Symptom Framework
Available for: Apple Watch Series 1 and later
Impact: An application may be able to read restricted memory
Description: An out-of-bounds read was addressed with improved bounds checking.
CVE-2018-4203: Bruno Keith (@bkth_) working with Trend Micro’s Zero Day Initiative
Entry added October 30, 2018
Text
Available for: Apple Watch Series 1 and later
Impact: Processing a maliciously crafted text file may lead to a denial of service
Description: A denial of service issue was addressed with improved validation.
CVE-2018-4304: jianan.huang (@Sevck)
Entry added October 30, 2018
WebKit
Available for: Apple Watch Series 1 and later
Impact: A malicious website may cause unexepected cross-origin behavior
Description: A cross-origin issue existed with iframe elements. This was addressed with improved tracking of security origins.
CVE-2018-4319: John Pettitt of Google
Entry added September 24, 2018
WebKit
Available for: Apple Watch Series 1 and later
Impact: Unexpected interaction causes an ASSERT failure
Description: A memory consumption issue was addressed with improved memory handling.
CVE-2018-4361: found by OSS-Fuzz
CVE-2018-4474: found by OSS-Fuzz
Entry added September 24, 2018, updated January 22, 2019
WebKit
Available for: Apple Watch Series 1 and later
Impact: Unexpected interaction causes an ASSERT failure
Description: A memory corruption issue was addressed with improved validation.
CVE-2018-4191: found by OSS-Fuzz
Entry added September 24, 2018
WebKit
Available for: Apple Watch Series 1 and later
Impact: Cross-origin SecurityErrors includes the accessed frame’s origin
Description: The issue was addressed by removing origin information.
CVE-2018-4311: Erling Alf Ellingsen (@steike)
Entry added September 24, 2018
WebKit
Available for: Apple Watch Series 1 and later
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: Multiple memory corruption issues were addressed with improved memory handling.
CVE-2018-4299: Samuel Groβ (saelo) working with Trend Micro’s Zero Day Initiative
CVE-2018-4359: Samuel Groß (@5aelo)
CVE-2018-4358: @phoenhex team (@bkth_ @5aelo @_niklasb) working with Trend Micro’s Zero Day Initiative
Entry added September 24, 2018
Core Data
We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
Sandbox Profiles
We would like to acknowledge Tencent Keen Security Lab working with Trend Micro’s Zero Day Initiative for their assistance.
SQLite
We would like to acknowledge Andreas Kurtz (@aykay) of NESO Security Labs GmbH for their assistance.
WebKit
We would like to acknowledge Tencent Keen Security Lab working with Trend Micro’s Zero Day Initiative for their assistance.