The version of iOS running on the mobile device is prior to 10.2.1, and is affected by multiple vulnerabilities :
- A prototype access flaw exists that is triggered when handling exceptions. With specially crafted web content, a context-dependent attacker may exfiltrate cross-origin data. (CVE-2017-2350)
- A flaw exists in WiFi that is triggered when handling user input. This may allow a physically present attacker to bypass the lock and briefly access the home screen. (CVE-2017-2351)
- A logic flaw exists related to state management in Auto Unlock. This may allow a physically present attacker to potentially unlock a watch when it is off the userโs wrist. (CVE-2017-2352)
- A type confusion flaw exists that is triggered as input is not properly validated when handling โSearchInputTypeโ objects. This may allow a context-dependent attacker to potentially execute arbitrary code. (CVE-2017-2354)
- An unspecified memory initialization flaw exists that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided. (CVE-2017-2355)
- A flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2017-2356, CVE-2017-2362, CVE-2017-2366, CVE-2017-2369, CVE-2017-2373)
- A use-after-free error exists in the โhost_self_trapโ mach trap. This may allow a local attacker to dereference already freed memory and gain elevated privileges. (CVE-2017-2360)
- A flaw exists that is triggered as input is not properly validated when handling page loading. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2363, CVE-2017-2364)
- A flaw exists that is triggered as input is not properly validated when handling variables. This may allow a context-dependent attacker to exfiltrate cross-origin data. (CVE-2017-2365)
- A flaw exists in Contacts that is triggered as input is not properly validated during the handling of a specially crafted contact card. This may allow a context-dependent attacker to crash the system. (CVE-2017-2368)
- An overflow condition exists in the โmach_voucher_extract_attr_recipe_trap()โ function that is triggered as certain input is not properly validated. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2017-2370)
- An unspecified flaw exists that may allow a context-dependent attacker to bypass popup restrictions via a specially crafted website. No further details have been provided. (CVE-2017-2371)